How to revoke an openssl certificate when you don't have the certificate

openssl revoke certificate command
certificate revocation check
openssl crl distribution point
easy-rsa revoke certificate
self-signed certificate revoke
openvpn list revoked certificates
how to view certificate revocation list
how to unrevoke a certificate

I made an openssl certificate signed by the CA created on the local machine.

This certificate was deleted and I don't have it anymore.

It is impossible to create another certificate with the same commonName because openssl doesn't allow it and will generate the error:

failed to update database
TXT_DB error number 2

How can I revoke the certificate to create another one with the same commonName ?

(Based on Nilesh's answer) In the default configuration, openssl will keep copies of all signed certificates in /etc/ssl/newcerts, named by its index number. So grep /etc/ssl/index.txt to obtain the serial number of the key to be revoked, e.g. 1013, then execute the following command:

openssl ca -revoke /etc/ssl/newcerts/1013.pem #replacing the serial number

The -keyfile and -cert mentioned in Nilesh's answer are only required if that deviates from your openssl.cnf settings.


Alternatively you can also change /etc/ssl/index.txt.attr to contain the line

unique_subject = no

to allow multiple certificates with the same common name. If you have published the original certificate, revoking the old one is however the preferable solution, even if you don't run an OSCP server or provide CRLs.

How to revoke the certificate and generate a CRL with openssl, Even if you don't keep a copy of all of the certificates that you've issued, the CA infrastructure we created does. We can obtain a copy of the  [root@node3 CA]# openssl ca -revoke testcert.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: Revoking Certificate 01. Data Base Updated The command-line tool prompts us for a passphrase.

I haven't tried this but it looks like you need something like this.

openssl ca -revoke bad_crt_file -keyfile ca_key -cert ca_crt

openssl automatically saves a copy of your cert at newcerts directory. You may want to check it to retrieve your certificate. Unfortunately you need a certificate present to revoke it. See the following for details: http://www.mad-hacking.net/documentation/linux/security/ssl-tls/revoking-certificate.xml

How do I revoke the certificate and generate a CRL?, First use openssl ca -revoke $certfile much as you did, but if you want to specify a reason (you don't need to) you must use a flag like  You will also need a copy of the private key in PEM format. Once you have these,you can revoke the certificate like so: certbot revoke --cert-path /PATH/TO/cert.pem --key-path /PATH/TO/key.pem. Using a different authorized account.

Like the other answers say, openssl CA usually keeps a copy of signed certificates in a subdirectory (newcerts or certs, or keys with easyrsa. Look for new_certs_dir definition in the openssl.cnf file of your authority or -outdir option in the scripts).

Thus, the canonical way of doing is something along :

openssl ca -config openssl.cnf -revoke newcerts/hello-world.pem

However, I add this answer to note that, with current versions, openssl ca -revoke ... seems to only update the index.txt file (it will nevertheless ask for the private key password, which is questioned there) so if you really don't have any certificate backup but still have the index.txt or some way to retrieve the serial number, you can look up / make up the certificate line and change it :

# before
V   291008172120Z       6DB67443D7E6C2D95D6E2F7F264C05F944964049    unknown /C=FR/CN=coucou.com
# after
R   291008172120Z   191011172218Z   6DB67443D7E6C2D95D6E2F7F264C05F944964049    unknown /C=FR/CN=coucou.com

# Format is 6 fields, tab-separated, and filename is usually 'unknown' :
# CRL doesn't contain nor need the subject so if unavailable, just make up something close
V/R/E   expiration-date revocation-date serial-number   filename    subject

(tested with OpenSSL 1.1.1c. On some other version/environment, serial number can be much shorter)

The openssl ca -config openssl.cnf -gencrl -crldays 30 -out crl.pem will be the actual step to revoke the certificate, producing a signed list using the private key of the authority.

Certificate revocation lists — OpenSSL Certificate Authority, You can check the contents of the CRL with the crl tool. # openssl crl -in intermediate/crl/intermediate.crl.pem -noout -text. No certificates have been revoked yet,  I generated a private key and a certificate for my CA: ca.key ca.pem Then I generated a client certificate for a user: openssl ecparam -genkey -name prime256v1 | openssl ec -out user.key openssl

Certificate management, CA.pl -newreq (openssl req -config /etc/openssl.cnf -new -keyout newreq.pem -​out newreq.pem You now need to generate the new revoked list of certificates:​  openssl ca -revoke bad_crt_file -keyfile ca_key -cert ca_crt openssl automatically saves a copy of your cert at newcerts directory. You may want to check it to retrieve your certificate. Unfortunately you need a certificate present to revoke it.

Revoking certificates - Let's Encrypt, When you revoke a Let's Encrypt certificate, Let's Encrypt will publish that You can then revoke the resulting certificate if you don't want it,  Alice finds out and needs to revoke his access immediately. # cd/root/ca# opensslca -config intermediate/openssl.cnf \-revoke intermediate/certs/bob@example.com.cert.pemEnter pass phrase for intermediate.key.pem:secretpasswordRevoking Certificate 1001. Data Base Updated.

SSL certificate revocation and how it is broken in practice, But sometimes you need to revoke a certificate beforehand, usually due tend to use soft-fail (ignore) behavior, when they don't receive OCSP  You might inspect the CRL afterward with openssl crl -in crlfile.pem -text and you should see that the serial number of the revoked certificate is listed in the CRL. Cheers, Olaf -- Dipl.Inform.

Comments
  • Great answer! Thanks a lot! For easy-rsa users it is: /etc/openvpn/easy-rsa/revoke-full /etc/openvpn/easy-rsa/01.pem and the list of all signed certificates with their index can be found in /etc/openvpn/easy-rsa/keys/index.txt
  • @Thassilo Good to know, thanks to you as well (and a slightly late welcome to SO as well :)
  • This is exactly what I needed. If anyone came here looking for help when they screwed up their revocation using OpenVPN's tool (like me), then you can copy the "revoke-full" script and make a change to it. You'll want to still maintain the CRL (Certificate revocation lists), so edit your copied 'revoke-full' and change the line for $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG" to be: $OPENSSL ca -revoke /etc/openvpn/easy-rsa/keys/YOUR-PEM.pem -config "$KEY_CONFIG"
  • Some more details (assuming default configuration): Grep /etc/ssl/index.txt to obtain the serial number of the key to be revoked, e.g. 1013, then just openssl ca -revoke /etc/ssl/newcerts/1013.pem (replacing the serial number) The -keyfile and -cert are only required if that deviates from your openssl.cnf settings
  • @TobiasKienzler This solved my problem. Perhaps it should be a full answer.
  • @MichaelHampton Glad to hear, I reposted it