RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1327207 - ipa cert-revoke --help doesn't provide enough info on revocation reasons
Summary: ipa cert-revoke --help doesn't provide enough info on revocation reasons
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-14 12:56 UTC by Aneta Šteflová Petrová
Modified: 2017-08-01 09:37 UTC (History)
5 users (show)

Fixed In Version: ipa-4.5.0-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:37:23 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Aneta Šteflová Petrová 2016-04-14 12:56:08 UTC 
Description of problem:

The "ipa cert-revoke -h" command prints the following:

  --revocation-reason=INT
                        Reason for revoking the certificate (0-10)

Some users probably don't know which numbers corresponds to which revocation reasons.


Expected results:

The "ipa cert-revoke -h" output could include a list of the numbers and the corresponding reasons to revoke a certificate. Or, if the list is available in a man page somewhere, the "--revocation-reason" description could just refer the users to that man page.
Comment 1 Petr Vobornik 2016-04-14 13:02:21 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5819
Comment 3 Rob Crittenden 2016-04-14 13:29:45 UTC 
ipa help cert contains the information.
Comment 4 Aneta Šteflová Petrová 2016-04-14 13:37:26 UTC 
Thanks, Rob, I didn't know that.

Is it possible to refer the users to "ipa help cert" from the "ipa cert-revoke-h" output?
Comment 5 Martin Bašti 2016-06-02 08:43:13 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/deb896768f395dc535ad72715bad4339c97a6a8b
Comment 7 Scott Poore 2016-09-10 01:32:35 UTC 
Did this patch get missed/reverted?

[root@master ~]# ipa cert-revoke -h
Usage: ipa [global-options] cert-revoke SERIAL-NUMBER [options]

Revoke a certificate.
Options:
  -h, --help            show this help message and exit
  --revocation-reason=INT
                        Reason for revoking the certificate (0-10)
  --ca=STR              Name of issuing CA

[root@master ~]# rpm -q ipa-server
ipa-server-4.4.0-9.el7.x86_64
Comment 8 Petr Vobornik 2016-09-12 07:59:12 UTC 
Looks like regression in thin client or something.
Comment 9 David Kupka 2016-09-12 11:08:06 UTC 
No, the change was undone here: https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=d44ffdad4285bf2a1c0b044e07ef1b18c7d50de1
Comment 10 Petr Vobornik 2016-09-13 13:34:32 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6327
Comment 12 Martin Bašti 2016-09-21 11:07:35 UTC 
#6327

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/75f77e0f2a55de4802b2ab74a0e6f50eaf728dc8
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/43ab75e56d8e661c51cc45803c4f7752e24bcde7
Comment 15 Scott Poore 2017-04-03 15:57:40 UTC 
Verified.

Version ::

ipa-server-4.5.0-4.el7.x86_64


Results ::

[root@auto-hv-02-guest08 ~]# ipa cert-revoke --help
Usage: ipa [global-options] cert-revoke SERIAL-NUMBER [options]

Revoke a certificate.
Options:
  -h, --help            show this help message and exit
  --revocation-reason=INT
                        Reason for revoking the certificate (0-10). Type "ipa
                        help cert" for revocation reason details.
  --ca=STR              Name of issuing CA



[root@auto-hv-02-guest08 ~]# ipa help cert
IPA certificate operations

Implements a set of commands for managing server SSL certificates.

Certificate requests exist in the form of a Certificate Signing Request (CSR)
in PEM format.

The dogtag CA uses just the CN value of the CSR and forces the rest of the
subject to values configured in the server.

A certificate is stored with a service principal and a service principal
needs a host.

In order to request a certificate:

* The host must exist
* The service must exist (or you use the --add option to automatically add it)

SEARCHING:

Certificates may be searched on by certificate subject, serial number,
revocation reason, validity dates and the issued date.

When searching on dates the _from date does a >= search and the _to date
does a <= search. When combined these are done as an AND.

Dates are treated as GMT to match the dates in the certificates.

The date format is YYYY-mm-dd.

EXAMPLES:

 Request a new certificate and add the principal:
   ipa cert-request --add --principal=HTTP/lion.example.com example.csr

 Retrieve an existing certificate:
   ipa cert-show 1032

 Revoke a certificate (see RFC 5280 for reason details):
   ipa cert-revoke --revocation-reason=6 1032

 Remove a certificate from revocation hold status:
   ipa cert-remove-hold 1032

 Check the status of a signing request:
   ipa cert-status 10

 Search for certificates by hostname:
   ipa cert-find --subject=ipaserver.example.com

 Search for revoked certificates by reason:
   ipa cert-find --revocation-reason=5

 Search for certificates based on issuance date
   ipa cert-find --issuedon-from=2013-02-01 --issuedon-to=2013-02-07

 Search for certificates owned by a specific user:
   ipa cert-find --user=user

 Examine a certificate:
   ipa cert-find --file=cert.pem --all

 Verify that a certificate is owned by a specific user:
   ipa cert-find --file=cert.pem --user=user

IPA currently immediately issues (or declines) all certificate requests so
the status of a request is not normally useful. This is for future use
or the case where a CA does not immediately issue a certificate.

The following revocation reasons are supported:

    * 0 - unspecified
    * 1 - keyCompromise
    * 2 - cACompromise
    * 3 - affiliationChanged
    * 4 - superseded
    * 5 - cessationOfOperation
    * 6 - certificateHold
    * 8 - removeFromCRL
    * 9 - privilegeWithdrawn
    * 10 - aACompromise

Note that reason code 7 is not used.  See RFC 5280 for more details:

http://www.ietf.org/rfc/rfc5280.txt

Topic commands:
  cert-find         Search for existing certificates.
  cert-remove-hold  Take a revoked certificate off hold.
  cert-request      Submit a certificate signing request.
  cert-revoke       Revoke a certificate.
  cert-show         Retrieve an existing certificate.
  cert-status       Check the status of a certificate signing request.

To get command help, use:
  ipa <command> --help

[root@auto-hv-02-guest08 ~]#
Comment 16 errata-xmlrpc 2017-08-01 09:37:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304
Note You need to log in before you can comment on or make changes to this bug.