Hi Marko,
I am confused....revoking a certificate does not change the certificate
itself, revocation information is an "external" status information that
is usually distributed to the communication parties using a CRL or
OCSP. It might be the case that your CA tool adds some textual
metadata in the files but this is nothing which is read by OpenXPKI, we
just parse the PEM encoded data and strip anything else around.
The identifier in OpenXPKI is the digest of the certificate body, you
should not get the same hash for another certificate which also
indicates to me that your "revoked" certifcate file and the "original"
are just the same one with regards to the PEM encoded certificate.
OpenXPKI holds the revocation info as a field in the database next to
the cert, you can update this using `openxpkicli --realm myrealm
import_certificate` with the update and revoked flag (see perldoc
OpenXPKI::Server::API2::Plugin::Cert::import_certificate).
best regards
Oli
On 20.10.24 12:23, openxpki.p9abw--- via OpenXPKI-users wrote:
Hi Oliver
Good to know.
Topic "metadata":
I created a intermediate certificate with my offline computer with my root ca
and imported it. Openxpki shows the following data:
-------------
Certificate Serial
d639df36930e93607eb2a83b378675ce
Certificate Identifier
7LgtOek-y16Jr2rmgHHwwE0K09k
not before
2024-10-16 22:28:26 UTC
not after
2034-10-14 22:28:26 UTC
Status
Issued
-------
Then I revoked it with my root ca and tried to import the new "revoked" certificate, but
it doesn't work. OpenxPKI says that it already exists and show me the old identifier of the old
"unrevoked" certificate. So I tried to delete it.
-------------------------
root@pki:~# openxpkiadm certificate remove --name "7LgtOek-y16Jr2rmgHHwwE0K09k"
--force
Successfully deleted certificate 7LgtOek-y16Jr2rmgHHwwE0K09k (identifier:
7LgtOek-y16Jr2rmgHHwwE0K09k) from database.
root@pki:~# openxpkiadm certificate remove --name "7LgtOek-y16Jr2rmgHHwwE0K09k"
--force
Certificate 7LgtOek-y16Jr2rmgHHwwE0K09k (identifier:
7LgtOek-y16Jr2rmgHHwwE0K09k) not found in database.
-------------------------------
The old certificate can't be found via cli or webui anymore. So import the new
revoked certificate which also has a different serial number
(87:aa:fe:e2:be:52:4e:ba:7d:01:ce:02:8b:01:e3:33), but it always brings the old
up.
--------------
openxpkiadm certificate import --file first_realm_new.crt (i checked the file
100 times. its the new one)
Starting import
Successfully imported certificate into database:
Subject: CN=MS Intermediate CA,O=MS
Issuer: CN=MS Root CA,O=MasterSign
Identifier: 7LgtOek-y16Jr2rmgHHwwE0K09k
Realm: none
----
its again the old identifier and if I look at the webui for this identifier I
get the old certificate with the old serial number.
I'm really really confused about this.
Oliver Welter - mail at oliwel.de <[email protected]>
schrieb am Samstag, 19. Oktober 2024 um 19:00:
Hi Marko,
the certificate handling part of the openxpkiadm command is known to be
broken, we are building a new CLI which will hopefully be available at
least in a beta state with the next release.
I dont understand what you mean with "metadata" - you can not change a
certificates validity without changing the cert - what kind of cert is
this and how is it used? There are several commands for certificate
management using the "openxpkicli" interface via the API that might be
helpful, or the fast way is to just use SQL...
Oliver
On 19.10.24 16:51, openxpki.p9abw--- via OpenXPKI-users wrote:
Heho
I'm pretty new to openxpki an ran into a little problem.
Ref: https://github.com/openxpki/openxpki/issues/920#issuecomment-2423776202
If I try to remove a certificate I get the following output:
-----------
openxpkiadm certificate remove --name 7LgtOek-y16Jr3rmgHHwwE0K08k --debug 128
[DEBUG] New session of type 'Memory' created
I18N_OPENXPKI_SERVER_CONTEXT_CTX_OBJECT_NOT_DEFINED
OBJECT: session
---------
With --force I can remove the certificate, but it doesn't get removed
completely. So if I re-import the invoked certificate then it shows the old
metadata (instead expire 2024, it shows 2034)
I can't really understand how to fix this. Is it a possible configuration error?
Greetings
Marko
Debian Bookworm
Version (core): 3.30.3
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
