How to revoke an openssl certificate when you don't have the certificate
-
14-11-2019 - |
Pergunta
I made an openssl certificate signed by the CA created on the local machine.
This certificate was deleted and I don't have it anymore.
It is impossible to create another certificate with the same commonName because openssl doesn't allow it and will generate the error:
failed to update database
TXT_DB error number 2
How can I revoke the certificate to create another one with the same commonName ?
Solução
(Based on Nilesh's answer) In the default configuration, openssl will keep copies of all signed certificates in /etc/ssl/newcerts
, named by its index number. So grep /etc/ssl/index.txt
to obtain the serial number of the key to be revoked, e.g. 1013, then execute the following command:
openssl ca -revoke /etc/ssl/newcerts/1013.pem #replacing the serial number
The -keyfile
and -cert
mentioned in Nilesh's answer are only required if that deviates from your openssl.cnf
settings.
Alternatively you can also change /etc/ssl/index.txt.attr
to contain the line
unique_subject = no
to allow multiple certificates with the same common name. If you have published the original certificate, revoking the old one is however the preferable solution, even if you don't run an OSCP server or provide CRLs.
Outras dicas
I haven't tried this but it looks like you need something like this.
openssl ca -revoke bad_crt_file -keyfile ca_key -cert ca_crt
openssl automatically saves a copy of your cert at newcerts directory. You may want to check it to retrieve your certificate. Unfortunately you need a certificate present to revoke it. See the following for details: http://www.mad-hacking.net/documentation/linux/security/ssl-tls/revoking-certificate.xml
Like the other answers say, openssl CA usually keeps a copy of signed certificates in a subdirectory (newcerts
or certs
, or keys
with easyrsa. Look for new_certs_dir
definition in the openssl.cnf file of your authority or -outdir
option in the scripts).
Thus, the canonical way of doing is something along :
openssl ca -config openssl.cnf -revoke newcerts/hello-world.pem
However, I add this answer to note that, with current versions, openssl ca -revoke ...
seems to only update the index.txt
file (it will nevertheless ask for the private key password, which is questioned there) so if you really don't have any certificate backup but still have the index.txt
or some way to retrieve the serial number, you can look up / make up the certificate line and change it :
# before
V 291008172120Z 6DB67443D7E6C2D95D6E2F7F264C05F944964049 unknown /C=FR/CN=coucou.com
# after
R 291008172120Z 191011172218Z 6DB67443D7E6C2D95D6E2F7F264C05F944964049 unknown /C=FR/CN=coucou.com
# Format is 6 fields, tab-separated, and filename is usually 'unknown' :
# CRL doesn't contain nor need the subject so if unavailable, just make up something close
V/R/E expiration-date revocation-date serial-number filename subject
(tested with OpenSSL 1.1.1c. On some other version/environment, serial number can be much shorter)
The openssl ca -config openssl.cnf -gencrl -crldays 30 -out crl.pem
will be the actual step to revoke the certificate, producing a signed list using the private key of the authority.