Hi Marko,
I am confused....revoking a certificate does not change the certificate
itself, revocation information is an "external" status information that
is usually distributed to the communication parties using a CRL or
OCSP. It might be the case that your CA tool adds some textual
metadata in the files but this is nothing which is read by OpenXPKI, we
just parse the PEM encoded data and strip anything else around.
The identifier in OpenXPKI is the digest of the certificate body, you
should not get the same hash for another certificate which also
indicates to me that your "revoked" certifcate file and the "original"
are just the same one with regards to the PEM encoded certificate.
OpenXPKI holds the revocation info as a field in the database next to
the cert, you can update this using `openxpkicli --realm myrealm
import_certificate` with the update and revoked flag (see perldoc
OpenXPKI::Server::API2::Plugin::Cert::import_certificate).
best regards
Oli
On 20.10.24 12:23, openxpki.p9abw--- via OpenXPKI-users wrote:
> Hi Oliver
> Good to know.
>
>
> Topic "metadata":
> I created a intermediate certificate with my offline computer with my root
ca and imported it. Openxpki shows the following data:
>
> -------------
> Certificate Serial
> d639df36930e93607eb2a83b378675ce
>
>
> Certificate Identifier
> 7LgtOek-y16Jr2rmgHHwwE0K09k
>
> not before
> 2024-10-16 22:28:26 UTC
> not after
> 2034-10-14 22:28:26 UTC
>
> Status
> Issued
> -------
>
> Then I revoked it with my root ca and tried to import the new "revoked" certificate,
but it doesn't work. OpenxPKI says that it already exists and show me the old identifier of the old
"unrevoked" certificate. So I tried to delete it.
>
> -------------------------
>
> root@pki:~# openxpkiadm certificate remove --name
"7LgtOek-y16Jr2rmgHHwwE0K09k" --force
> Successfully deleted certificate 7LgtOek-y16Jr2rmgHHwwE0K09k (identifier:
7LgtOek-y16Jr2rmgHHwwE0K09k) from database.
>
> root@pki:~# openxpkiadm certificate remove --name
"7LgtOek-y16Jr2rmgHHwwE0K09k" --force
> Certificate 7LgtOek-y16Jr2rmgHHwwE0K09k (identifier:
7LgtOek-y16Jr2rmgHHwwE0K09k) not found in database.
>
> -------------------------------
>
> The old certificate can't be found via cli or webui anymore. So import the
new revoked certificate which also has a different serial number
(87:aa:fe:e2:be:52:4e:ba:7d:01:ce:02:8b:01:e3:33), but it always brings the old up.
>
> --------------
> openxpkiadm certificate import --file first_realm_new.crt (i checked the
file 100 times. its the new one)
> Starting import
> Successfully imported certificate into database:
> Subject: CN=MS Intermediate CA,O=MS
> Issuer: CN=MS Root CA,O=MasterSign
> Identifier: 7LgtOek-y16Jr2rmgHHwwE0K09k
> Realm: none
>
>
> ----
>
>
> its again the old identifier and if I look at the webui for this identifier
I get the old certificate with the old serial number.
>
> I'm really really confused about this.
>
>
>
>
> Oliver Welter - mail at oliwel.de
<[email protected]> schrieb am Samstag, 19. Oktober 2024
um 19:00:
>
>> Hi Marko,
>>
>> the certificate handling part of the openxpkiadm command is known to be
>> broken, we are building a new CLI which will hopefully be available at
>> least in a beta state with the next release.
>>
>> I dont understand what you mean with "metadata" - you can not change a
>> certificates validity without changing the cert - what kind of cert is
>> this and how is it used? There are several commands for certificate
>> management using the "openxpkicli" interface via the API that might be
>> helpful, or the fast way is to just use SQL...
>>
>> Oliver
>>
>> On 19.10.24 16:51, openxpki.p9abw--- via OpenXPKI-users wrote:
>>
>>> Heho
>>> I'm pretty new to openxpki an ran into a little problem.
>>>
>>> Ref:
https://github.com/openxpki/openxpki/issues/920#issuecomment-2423776202
>>>
>>> If I try to remove a certificate I get the following output:
>>> -----------
>>> openxpkiadm certificate remove --name 7LgtOek-y16Jr3rmgHHwwE0K08k --debug
128
>>> [DEBUG] New session of type 'Memory' created
>>> I18N_OPENXPKI_SERVER_CONTEXT_CTX_OBJECT_NOT_DEFINED
>>> OBJECT: session
>>> ---------
>>> With --force I can remove the certificate, but it doesn't get removed
completely. So if I re-import the invoked certificate then it shows the old metadata
(instead expire 2024, it shows 2034)
>>>
>>> I can't really understand how to fix this. Is it a possible configuration
error?
>>>
>>> Greetings
>>> Marko
>>>
>>> Debian Bookworm
>>> Version (core): 3.30.3
>>>
>>> _______________________________________________
>>> OpenXPKI-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>> --
>> Protect your environment - close windows and adopt a penguin!
>>
>> _______________________________________________
>> OpenXPKI-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>
>>
>> _______________________________________________
>> OpenXPKI-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
