Bug 441354 - [RFE] CMC-based unrevoke
[RFE] CMC-based unrevoke
Status: CLOSED NEXTRELEASE
Product: Dogtag Certificate System
Classification: Community
Component: Certificate Manager (Show other bugs)
1.0
All Linux
medium Severity low
: ---
: ---
Assigned To: Christina Fu
Chandrasekar Kannan
: FutureFeature
Depends On:
Blocks: 760283
  Show dependency treegraph
 
Reported: 2008-04-07 14:17 EDT by David Stutzman
Modified: 2015-01-04 18:31 EST (History)
7 users (show)

See Also:
Fixed In Version: pki-common-8.1.4-1.el5pki
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-08-28 21:42:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
proposed patch (3.77 KB, patch)
2012-07-09 19:48 EDT, Andrew Wnuk
mharmsen: review+
Details | Diff

  None (edit)
Description David Stutzman 2008-04-07 14:17:05 EDT
It is possible to send a CMC revocation request to the CA with a CRLReason type
6, certificateHold, which puts the certificate on hold.  There isn't, as far as
I can tell, any way to take a certificate off hold via CMC.  I have tried
sending a revocation request with a CRLReason of type 8, removeFromCRL and the
CMC response indicated a successful revoke and the debug log of CA said the
certificate is already revoked.  The only way, that I am aware of, to take the
certificate off hold is through the agent webpage.  Do a list or search
specifying the serial number of a previously-suspended certificate and then
click the "Off Hold" button.  I'm not sure if the CMC protocol is even meant to
do this at all, but it would be nice to reverse the hold/suspension process in a
similar way to which it was performed.
Comment 4 Andrew Wnuk 2012-07-09 19:48:27 EDT
Created attachment 597181 [details]
proposed patch
Comment 7 Andrew Wnuk 2012-07-09 20:40:05 EDT
git push
Counting objects: 21, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (10/10), done.
Writing objects: 100% (11/11), 1.30 KiB, done.
Total 11 (delta 8), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/pki.git
   60fdb85..88322df  DOGTAG_9_BRANCH -> DOGTAG_9_BRANCH
Comment 8 Andrew Wnuk 2012-07-10 12:03:16 EDT
git commit
[master 90b7816] CMC revocation
 1 files changed, 27 insertions(+), 9 deletions(-)
bash-4.2$ git push
Counting objects: 21, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (10/10), done.
Writing objects: 100% (11/11), 1.26 KiB, done.
Total 11 (delta 8), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/pki.git
   759d547..90b7816  master -> master
Comment 9 Niranjan Mallapadi Raghavender 2013-03-15 06:04:32 EDT
Versions:

pki-ca-8.1.1-1.ecc.el5pki (Build Date: Wed 13 Mar 2013 03:02:32 PM EDT)
pki-ocsp-8.1.1-1.ecc.el5pki (Build Date: Thu 14 Mar 2013 03:03:20 PM EDT)
pki-java-tools-8.1.0-6.ecc.el5pki(Build Date: Wed 13 Mar 2013 02:53:25 PM EDT)

1. Access EE Page: http://hostname:9444/ca/ee/ca
2. Select Profile: "Manual user dual-use certificate Enrollment"
3. specify below inputs:
uid: foo1
email: foo1@foo.org
Common Name: foouser1
Requestor Name: foo1

4. Click on submit
5. Access Agent interface and approve the above request

Below is the Certificate

-----BEGIN CERTIFICATE-----
MIIDBjCCAe6gAwIBAgIBEzANBgkqhkiG9w0BAQ0FADAzMRcwFQYDVQQKEw5FeGFt
cGxlIERvbWFpbjEYMBYGA1UEAxMPQ0Egc2lnbmluZyBjZXJ0MB4XDTEzMDMxNDIz
MjkyMVoXDTEzMDkxMDIzMjkyMVowQjENMAsGA1UEAxMEZm9vMTEbMBkGCSqGSIb3
DQEJARYMZm9vMUBmb28ub3JnMRQwEgYKCZImiZPyLGQBARMEZm9vMTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEAuylS90RMvx1S2HQkENH43W68svZyf3HTlr9S
wM/6zirVKbEpQe+3dp3+C/4s+f99hfo/uTogMbdxZekvW4wR37wphfwCe4WwY0tQ
Efy7GlM4bOGdKezeIYtUJ/R6PQ1/WNdmqTB6oSVGnv6ytZu1ykt9ffweaYIPdKfR
NSRy3kMCAwEAAaOBmTCBljAfBgNVHSMEGDAWgBRV7YAWBoxkCMhye3bfWQ0NZXbc
8TBEBggrBgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAGGKGh0dHA6Ly9yaGVsY3MtMS5l
eGFtcGxlLm9yZzo5MTgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgUgMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDBDANBgkqhkiG9w0BAQ0FAAOCAQEAue/ttvqQ
hdCBIRSKfhqH4H4lAmp/JgU72o08YARIWrsSYKpdlNXYOdGa/hVX1Shb7XPdMgIy
sDi70An/HfAROhOV4k7hud+duWQXfr58bEuxjLLyZiLFkAsFsf7gsqPgQCWuyuLV
d1SiFdgeFvhwQijldKOsobdJ8YcWFrP3VcVYb/mu/3KLPdVaSlb3vz+JBO8RpsYb
1gOgjMgD0Jo++pp8cwKBZGt+NfVu1q5MUdYUuALUOcr1MPIFsHM1OIvZSsbue1xo
OlQW6dXIbCutP4plIKNFCGMRm5mybE+CXSahhdmEsXYyu38YM5+eS+DQ7++UFGzR
dFcYxybbrZrSzg==
-----END CERTIFICATE-----


6. Get the Serial Number of the Certificate issued and CN of the Signing Certificate (CA)

issuer= /O=Example Domain/CN=CA signing cert
subject= /CN=foo1/emailAddress=foo1@foo.org/UID=foo1
serial=13

7. Serial Number 13 is hexadecimal (need to convert to decimal (19)

6. Revoke the above certificate using CMCRevoke 

$CMCRevoke -d. -n"admin" -i"CN=CA signing cert,O=Example Domain" -s19 -m6 -ppassword -ctest > revoke.out

In the above command -m6 , is to revoke the certificate with reason "certificate on hold"

8. Submit CMC Revoke request to CA
i) Access EE: http://hostname:9444/ca/ee/ca
ii)Access Revocation->CMC Revoke, Paste the revocation request from file "revoke.out" (without -----BEGIN NEW CERTIFICATE REQUEST----- and-----END NEW CERTIFICATE REQUEST-----)
iii) and click on submit

<snip>

Below output is returned

Certificate with serial number 0x15 has been revoked.
The Certificate Revocation List will be updated automatically at the next scheduled update. 

</snip>
9. Update Revocation list

10. Check the Certificate status

$OCSPClient rhelcs-1.example.org 11180 . "CA signing cert - Example Domain" 21 abc.out 1
URI: /ocsp/ee/ocsp
Data Length: 68
Data: MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQsWqC7khSNvAp4CxQRujSmkl5kAAQUVe2A
FgaMZAjIcnt231kNDWV23PECARU=
CertID.serialNumber=19
CertStatus=Revoked
Success: Output abc.out

11. Un revoke the Cert with reason "Remove from CRL"

$CMCRevoke -d. -n"admin" -i"CN=CA signing cert,O=Example Domain" -s21 -m8 -ppassword -ctest > unrevoke.out

12. Submit CMC Revoke request to CA
i) Access  EE: http://hostname:9444/ca/ee/ca
ii)Access Revocation->CMC Revoke, Paste the  request in file unrevoke.out file (without -----BEGIN NEW CERTIFICATE REQUEST----- and-----END NEW CERTIFICATE REQUEST-----)
iii) and click on submit

13. Update Revocation list from Agent interface of CA 

14. Check the Certificate status
[root@rhelcs-1 pki-ca-Mar-14-inst1]# OCSPClient rhelcs-1.example.org 11180 . "CA signing cert - Example Domain" 19 abc.out 1URI: /ocsp/ee/ocsp
Data Length: 68
Data: MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQsWqC7khSNvAp4CxQRujSmkl5kAAQUVe2A
FgaMZAjIcnt231kNDWV23PECARM=
CertID.serialNumber=19
CertStatus=Good
Success: Output abc.out

Note You need to log in before you can comment on or make changes to this bug.