How to revoke an openssl certificate when you don't have the certificate
certificate revocation check
openssl crl distribution point
easy-rsa revoke certificate
self-signed certificate revoke
openvpn list revoked certificates
how to view certificate revocation list
how to unrevoke a certificate
I made an openssl certificate signed by the CA created on the local machine.
This certificate was deleted and I don't have it anymore.
It is impossible to create another certificate with the same commonName because openssl doesn't allow it and will generate the error:
failed to update database TXT_DB error number 2
How can I revoke the certificate to create another one with the same commonName ?
(Based on Nilesh's answer) In the default configuration, openssl will keep copies of all signed certificates in
/etc/ssl/newcerts, named by its index number. So grep
/etc/ssl/index.txt to obtain the serial number of the key to be revoked, e.g. 1013, then execute the following command:
openssl ca -revoke /etc/ssl/newcerts/1013.pem #replacing the serial number
-cert mentioned in Nilesh's answer are only required if that deviates from your
Alternatively you can also change
/etc/ssl/index.txt.attr to contain the line
unique_subject = no
to allow multiple certificates with the same common name. If you have published the original certificate, revoking the old one is however the preferable solution, even if you don't run an OSCP server or provide CRLs.
How to revoke the certificate and generate a CRL with openssl, Even if you don't keep a copy of all of the certificates that you've issued, the CA infrastructure we created does. We can obtain a copy of the [root@node3 CA]# openssl ca -revoke testcert.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: Revoking Certificate 01. Data Base Updated The command-line tool prompts us for a passphrase.
I haven't tried this but it looks like you need something like this.
openssl ca -revoke bad_crt_file -keyfile ca_key -cert ca_crt
openssl automatically saves a copy of your cert at newcerts directory. You may want to check it to retrieve your certificate. Unfortunately you need a certificate present to revoke it. See the following for details: http://www.mad-hacking.net/documentation/linux/security/ssl-tls/revoking-certificate.xml
How do I revoke the certificate and generate a CRL?, First use openssl ca -revoke $certfile much as you did, but if you want to specify a reason (you don't need to) you must use a flag like You will also need a copy of the private key in PEM format. Once you have these,you can revoke the certificate like so: certbot revoke --cert-path /PATH/TO/cert.pem --key-path /PATH/TO/key.pem. Using a different authorized account.
Like the other answers say, openssl CA usually keeps a copy of signed certificates in a subdirectory (
keys with easyrsa. Look for
new_certs_dir definition in the openssl.cnf file of your authority or
-outdir option in the scripts).
Thus, the canonical way of doing is something along :
openssl ca -config openssl.cnf -revoke newcerts/hello-world.pem
However, I add this answer to note that, with current versions,
openssl ca -revoke ... seems to only update the
index.txt file (it will nevertheless ask for the private key password, which is questioned there) so if you really don't have any certificate backup but still have the
index.txt or some way to retrieve the serial number, you can look up / make up the certificate line and change it :
# before V 291008172120Z 6DB67443D7E6C2D95D6E2F7F264C05F944964049 unknown /C=FR/CN=coucou.com # after R 291008172120Z 191011172218Z 6DB67443D7E6C2D95D6E2F7F264C05F944964049 unknown /C=FR/CN=coucou.com # Format is 6 fields, tab-separated, and filename is usually 'unknown' : # CRL doesn't contain nor need the subject so if unavailable, just make up something close V/R/E expiration-date revocation-date serial-number filename subject
(tested with OpenSSL 1.1.1c. On some other version/environment, serial number can be much shorter)
openssl ca -config openssl.cnf -gencrl -crldays 30 -out crl.pem will be the actual step to revoke the certificate, producing a signed list using the private key of the authority.
Certificate revocation lists — OpenSSL Certificate Authority, You can check the contents of the CRL with the crl tool. # openssl crl -in intermediate/crl/intermediate.crl.pem -noout -text. No certificates have been revoked yet, I generated a private key and a certificate for my CA: ca.key ca.pem Then I generated a client certificate for a user: openssl ecparam -genkey -name prime256v1 | openssl ec -out user.key openssl
Certificate management, CA.pl -newreq (openssl req -config /etc/openssl.cnf -new -keyout newreq.pem -out newreq.pem You now need to generate the new revoked list of certificates: openssl ca -revoke bad_crt_file -keyfile ca_key -cert ca_crt openssl automatically saves a copy of your cert at newcerts directory. You may want to check it to retrieve your certificate. Unfortunately you need a certificate present to revoke it.
Revoking certificates - Let's Encrypt, When you revoke a Let's Encrypt certificate, Let's Encrypt will publish that You can then revoke the resulting certificate if you don't want it, Alice finds out and needs to revoke his access immediately. # cd/root/ca# opensslca -config intermediate/openssl.cnf \-revoke firstname.lastname@example.orgEnter pass phrase for intermediate.key.pem:secretpasswordRevoking Certificate 1001. Data Base Updated.
SSL certificate revocation and how it is broken in practice, But sometimes you need to revoke a certificate beforehand, usually due tend to use soft-fail (ignore) behavior, when they don't receive OCSP You might inspect the CRL afterward with openssl crl -in crlfile.pem -text and you should see that the serial number of the revoked certificate is listed in the CRL. Cheers, Olaf -- Dipl.Inform.
- Great answer! Thanks a lot! For easy-rsa users it is: /etc/openvpn/easy-rsa/revoke-full /etc/openvpn/easy-rsa/01.pem and the list of all signed certificates with their index can be found in /etc/openvpn/easy-rsa/keys/index.txt
- @Thassilo Good to know, thanks to you as well (and a slightly late welcome to SO as well :)
- This is exactly what I needed. If anyone came here looking for help when they screwed up their revocation using OpenVPN's tool (like me), then you can copy the "revoke-full" script and make a change to it. You'll want to still maintain the CRL (Certificate revocation lists), so edit your copied 'revoke-full' and change the line for
$OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG"to be:
$OPENSSL ca -revoke /etc/openvpn/easy-rsa/keys/YOUR-PEM.pem -config "$KEY_CONFIG"
- Some more details (assuming default configuration): Grep
/etc/ssl/index.txtto obtain the serial number of the key to be revoked, e.g. 1013, then just
openssl ca -revoke /etc/ssl/newcerts/1013.pem(replacing the serial number) The
-certare only required if that deviates from your
- @TobiasKienzler This solved my problem. Perhaps it should be a full answer.
- @MichaelHampton Glad to hear, I reposted it