-
Notifications
You must be signed in to change notification settings - Fork 38
Revoke the intermediate CA certificate
Richard Crowley edited this page Apr 15, 2014
·
8 revisions
If your root CA's private key leaks you're out of luck and have to burn the whole PKI to the ground. If you have bad, but slightly less bad, luck and only your intermediate CA's private key leak you can recover.
First, take advantage of certified-ca(1) and certified(1) storing the history of your CA in a Git repository:
git --git-dir="etc/ssl/.git" log --pretty="format:%s" --reverse >"history.sh"We'll use this shell script later.
Now, revoke every certificate issued by the compromised intermediate CA as well as the intermediate CA certificate itself (this will require the root CA private key and password):
certified-ls | xargs -I"_" certified --revoke CN="_"
certified-ca --revokeFinally, regenerate all the certificates previously signed, starting with a new intermediate CA:
sh "history.sh"Next: Home