| Summary: | ipa cert-revoke --help doesn't provide enough info on revocation reasons | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Aneta Šteflová Petrová <apetrova> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.2 | CC: | dkupka, mbasti, pvoborni, rcritten, spoore |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.5.0-1.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-01 09:37:23 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5819 ipa help cert contains the information. Thanks, Rob, I didn't know that. Is it possible to refer the users to "ipa help cert" from the "ipa cert-revoke-h" output? Fixed upstream master: https://fedorahosted.org/freeipa/changeset/deb896768f395dc535ad72715bad4339c97a6a8b Did this patch get missed/reverted?
[root@master ~]# ipa cert-revoke -h
Usage: ipa [global-options] cert-revoke SERIAL-NUMBER [options]
Revoke a certificate.
Options:
-h, --help show this help message and exit
--revocation-reason=INT
Reason for revoking the certificate (0-10)
--ca=STR Name of issuing CA
[root@master ~]# rpm -q ipa-server
ipa-server-4.4.0-9.el7.x86_64
Looks like regression in thin client or something. No, the change was undone here: https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=d44ffdad4285bf2a1c0b044e07ef1b18c7d50de1 Upstream ticket: https://fedorahosted.org/freeipa/ticket/6327 #6327 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/75f77e0f2a55de4802b2ab74a0e6f50eaf728dc8 ipa-4-4: https://fedorahosted.org/freeipa/changeset/43ab75e56d8e661c51cc45803c4f7752e24bcde7 Verified.
Version ::
ipa-server-4.5.0-4.el7.x86_64
Results ::
[root@auto-hv-02-guest08 ~]# ipa cert-revoke --help
Usage: ipa [global-options] cert-revoke SERIAL-NUMBER [options]
Revoke a certificate.
Options:
-h, --help show this help message and exit
--revocation-reason=INT
Reason for revoking the certificate (0-10). Type "ipa
help cert" for revocation reason details.
--ca=STR Name of issuing CA
[root@auto-hv-02-guest08 ~]# ipa help cert
IPA certificate operations
Implements a set of commands for managing server SSL certificates.
Certificate requests exist in the form of a Certificate Signing Request (CSR)
in PEM format.
The dogtag CA uses just the CN value of the CSR and forces the rest of the
subject to values configured in the server.
A certificate is stored with a service principal and a service principal
needs a host.
In order to request a certificate:
* The host must exist
* The service must exist (or you use the --add option to automatically add it)
SEARCHING:
Certificates may be searched on by certificate subject, serial number,
revocation reason, validity dates and the issued date.
When searching on dates the _from date does a >= search and the _to date
does a <= search. When combined these are done as an AND.
Dates are treated as GMT to match the dates in the certificates.
The date format is YYYY-mm-dd.
EXAMPLES:
Request a new certificate and add the principal:
ipa cert-request --add --principal=HTTP/lion.example.com example.csr
Retrieve an existing certificate:
ipa cert-show 1032
Revoke a certificate (see RFC 5280 for reason details):
ipa cert-revoke --revocation-reason=6 1032
Remove a certificate from revocation hold status:
ipa cert-remove-hold 1032
Check the status of a signing request:
ipa cert-status 10
Search for certificates by hostname:
ipa cert-find --subject=ipaserver.example.com
Search for revoked certificates by reason:
ipa cert-find --revocation-reason=5
Search for certificates based on issuance date
ipa cert-find --issuedon-from=2013-02-01 --issuedon-to=2013-02-07
Search for certificates owned by a specific user:
ipa cert-find --user=user
Examine a certificate:
ipa cert-find --file=cert.pem --all
Verify that a certificate is owned by a specific user:
ipa cert-find --file=cert.pem --user=user
IPA currently immediately issues (or declines) all certificate requests so
the status of a request is not normally useful. This is for future use
or the case where a CA does not immediately issue a certificate.
The following revocation reasons are supported:
* 0 - unspecified
* 1 - keyCompromise
* 2 - cACompromise
* 3 - affiliationChanged
* 4 - superseded
* 5 - cessationOfOperation
* 6 - certificateHold
* 8 - removeFromCRL
* 9 - privilegeWithdrawn
* 10 - aACompromise
Note that reason code 7 is not used. See RFC 5280 for more details:
http://www.ietf.org/rfc/rfc5280.txt
Topic commands:
cert-find Search for existing certificates.
cert-remove-hold Take a revoked certificate off hold.
cert-request Submit a certificate signing request.
cert-revoke Revoke a certificate.
cert-show Retrieve an existing certificate.
cert-status Check the status of a certificate signing request.
To get command help, use:
ipa <command> --help
[root@auto-hv-02-guest08 ~]#
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304 |
Description of problem: The "ipa cert-revoke -h" command prints the following: --revocation-reason=INT Reason for revoking the certificate (0-10) Some users probably don't know which numbers corresponds to which revocation reasons. Expected results: The "ipa cert-revoke -h" output could include a list of the numbers and the corresponding reasons to revoke a certificate. Or, if the list is available in a man page somewhere, the "--revocation-reason" description could just refer the users to that man page.