search

pki-bot / pki-issues-final

0 stars 0 forks source link

Unable to revoke a Subordinate CA signing Certificate with pki cert-revoke --ca option #923

Open pki-bot opened 3 years ago

pki-bot commented 3 years ago

This issue was migrated from Pagure Issue #930. Originally filed by mrniranjan (@mrniranjan) on 2014-03-25 13:05:13:

With pki cert-revoke --ca option can be used to revoke a CA signing certificate, but this option seems can be used only on root CA , It seems it cannot be used to revoke any ca signing certificates generated by that CA.

Example:

  1. Install CA subsystem using pkispawn
  2. Install a subca to CA installed in step-1:

I could not use --ca option to revoke a subordinate CA signing Certificate, 

[root@pkiserver1 nssdb]# pki -d . -n "PKI Administrator for example.org" -p 12080 cert-revoke 0xc --reason "Certificate_Hold" --ca
Placing certificate on-hold:
  Serial Number: 0xc
  Issuer: CN=CA Signing Certificate,O=Example1 Domain
  Subject: CN=CA Subordinate Signing Certificate,O=Example1 Domain
  Status: REVOKED
  Not Before: Wed Mar 19 12:58:08 EDT 2014
  Not After: Tue Mar 08 11:58:08 EST 2016
Are you sure (Y/N)? Y
UnauthorizedException: Certificate 0xc is not a CA signing certificate

0xC is the Subordinate CA signing Certificate.

But if --ca is not used then we could revoke the above certificate, 

[root@pkiserver1 nssdb]# pki -d . -n "PKI Administrator for example.org" -p 12080 cert-revoke 0x1 --reason "Certificate_Hold" --ca
Placing certificate on-hold:
  Serial Number: 0x1
  Issuer: CN=CA Signing Certificate,O=Example1 Domain
  Subject: CN=CA Signing Certificate,O=Example1 Domain
  Status: VALID
  Not Before: Wed Mar 12 08:40:00 EDT 2014
  Not After: Sun Mar 12 08:40:00 EDT 2034
Are you sure (Y/N)? Y
--------------------------------
Placed certificate "0x1" on-hold
--------------------------------
  Serial Number: 0x1
  Issuer: CN=CA Signing Certificate,O=Example1 Domain
  Subject: CN=CA Signing Certificate,O=Example1 Domain
  Status: REVOKED
  Not Before: Wed Mar 12 08:40:00 EDT 2014
  Not After: Sun Mar 12 08:40:00 EDT 2034

Versions:

pki-ca-10.2.0-0.1.20140320T0343zgit24294c0.fc20.noarch
pki-tools-10.2.0-0.1.20140320T0343zgit24294c0.fc20.x86_64
pki-bot commented 3 years ago

Comment from mharmsen (@mharmsen) at 2014-03-31 20:30:40

Per CS/DS meeting of 03/31/2014 - Is this just an error message change, or usage? Seems like a corner case with a workaround, 10.3.

pki-bot commented 3 years ago

Comment from mrniranjan (@mrniranjan) at 2017-02-27 14:12:12

Metadata Update from @mrniranjan: