Bug 1327207 - ipa cert-revoke --help doesn't provide enough info on revocation reasons
Summary: ipa cert-revoke --help doesn't provide enough info on revocation reasons
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-14 12:56 UTC by Aneta Šteflová Petrová
Modified: 2017-08-01 09:37 UTC (History)
5 users (show)

Fixed In Version: ipa-4.5.0-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:37:23 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Aneta Šteflová Petrová 2016-04-14 12:56:08 UTC
Description of problem:

The "ipa cert-revoke -h" command prints the following:

  --revocation-reason=INT
                        Reason for revoking the certificate (0-10)

Some users probably don't know which numbers corresponds to which revocation reasons.


Expected results:

The "ipa cert-revoke -h" output could include a list of the numbers and the corresponding reasons to revoke a certificate. Or, if the list is available in a man page somewhere, the "--revocation-reason" description could just refer the users to that man page.

Comment 1 Petr Vobornik 2016-04-14 13:02:21 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5819

Comment 3 Rob Crittenden 2016-04-14 13:29:45 UTC
ipa help cert contains the information.

Comment 4 Aneta Šteflová Petrová 2016-04-14 13:37:26 UTC
Thanks, Rob, I didn't know that.

Is it possible to refer the users to "ipa help cert" from the "ipa cert-revoke-h" output?

Comment 5 Martin Bašti 2016-06-02 08:43:13 UTC
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/deb896768f395dc535ad72715bad4339c97a6a8b

Comment 7 Scott Poore 2016-09-10 01:32:35 UTC
Did this patch get missed/reverted?

[root@master ~]# ipa cert-revoke -h
Usage: ipa [global-options] cert-revoke SERIAL-NUMBER [options]

Revoke a certificate.
Options:
  -h, --help            show this help message and exit
  --revocation-reason=INT
                        Reason for revoking the certificate (0-10)
  --ca=STR              Name of issuing CA

[root@master ~]# rpm -q ipa-server
ipa-server-4.4.0-9.el7.x86_64

Comment 8 Petr Vobornik 2016-09-12 07:59:12 UTC
Looks like regression in thin client or something.

Comment 9 David Kupka 2016-09-12 11:08:06 UTC
No, the change was undone here: https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=d44ffdad4285bf2a1c0b044e07ef1b18c7d50de1

Comment 10 Petr Vobornik 2016-09-13 13:34:32 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6327

Comment 15 Scott Poore 2017-04-03 15:57:40 UTC
Verified.

Version ::

ipa-server-4.5.0-4.el7.x86_64


Results ::

[root@auto-hv-02-guest08 ~]# ipa cert-revoke --help
Usage: ipa [global-options] cert-revoke SERIAL-NUMBER [options]

Revoke a certificate.
Options:
  -h, --help            show this help message and exit
  --revocation-reason=INT
                        Reason for revoking the certificate (0-10). Type "ipa
                        help cert" for revocation reason details.
  --ca=STR              Name of issuing CA



[root@auto-hv-02-guest08 ~]# ipa help cert
IPA certificate operations

Implements a set of commands for managing server SSL certificates.

Certificate requests exist in the form of a Certificate Signing Request (CSR)
in PEM format.

The dogtag CA uses just the CN value of the CSR and forces the rest of the
subject to values configured in the server.

A certificate is stored with a service principal and a service principal
needs a host.

In order to request a certificate:

* The host must exist
* The service must exist (or you use the --add option to automatically add it)

SEARCHING:

Certificates may be searched on by certificate subject, serial number,
revocation reason, validity dates and the issued date.

When searching on dates the _from date does a >= search and the _to date
does a <= search. When combined these are done as an AND.

Dates are treated as GMT to match the dates in the certificates.

The date format is YYYY-mm-dd.

EXAMPLES:

 Request a new certificate and add the principal:
   ipa cert-request --add --principal=HTTP/lion.example.com example.csr

 Retrieve an existing certificate:
   ipa cert-show 1032

 Revoke a certificate (see RFC 5280 for reason details):
   ipa cert-revoke --revocation-reason=6 1032

 Remove a certificate from revocation hold status:
   ipa cert-remove-hold 1032

 Check the status of a signing request:
   ipa cert-status 10

 Search for certificates by hostname:
   ipa cert-find --subject=ipaserver.example.com

 Search for revoked certificates by reason:
   ipa cert-find --revocation-reason=5

 Search for certificates based on issuance date
   ipa cert-find --issuedon-from=2013-02-01 --issuedon-to=2013-02-07

 Search for certificates owned by a specific user:
   ipa cert-find --user=user

 Examine a certificate:
   ipa cert-find --file=cert.pem --all

 Verify that a certificate is owned by a specific user:
   ipa cert-find --file=cert.pem --user=user

IPA currently immediately issues (or declines) all certificate requests so
the status of a request is not normally useful. This is for future use
or the case where a CA does not immediately issue a certificate.

The following revocation reasons are supported:

    * 0 - unspecified
    * 1 - keyCompromise
    * 2 - cACompromise
    * 3 - affiliationChanged
    * 4 - superseded
    * 5 - cessationOfOperation
    * 6 - certificateHold
    * 8 - removeFromCRL
    * 9 - privilegeWithdrawn
    * 10 - aACompromise

Note that reason code 7 is not used.  See RFC 5280 for more details:

http://www.ietf.org/rfc/rfc5280.txt

Topic commands:
  cert-find         Search for existing certificates.
  cert-remove-hold  Take a revoked certificate off hold.
  cert-request      Submit a certificate signing request.
  cert-revoke       Revoke a certificate.
  cert-show         Retrieve an existing certificate.
  cert-status       Check the status of a certificate signing request.

To get command help, use:
  ipa <command> --help

[root@auto-hv-02-guest08 ~]#

Comment 16 errata-xmlrpc 2017-08-01 09:37:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.