16

I've generated an ssh certificate like this:

  1. ssh-keygen -f ca_key # generate a ssh keypair for use as a certificate
  2. generate a host key ssh-keygen -s ca_key -I cert_identifier -h host_key.pub
  3. specify the host key in the server's sshd config file: TrustedUserCAKeys /etc/ssh/ssh_cert/host_key.pub
  4. generate a local certificate to access the host using an ssh certificate: ssh-keygen -s ca_key -I cert_identifier user_key.pub. This should generate user_key-cert.pub

I can now log into the server using ssh -i user_key user@host (which uses user_key-cert.pub). How can I revoke the certificate other than disabling the TrustedUserCAKeys file?

rorycl
  • 858
  • There is a discussion about this on the openssh list here http://www.gossamer-threads.com/lists/openssh/dev/49167?search_string=TrustedUserCAKeys;#49167 -- I don't think there is an elegant way to revoke a certificate. – rorycl Apr 29 '11 at 02:56

2 Answers2

16

sshd_config has a RevokedKeys file. You can list multiple keys or certificates in it, one per line. In the future, OpenSSH will support revocation by certificate serial number, which will make for much smaller revocation lists.

Damien Miller
  • 176
-4

These may be of interest to you:

CARevocationFile /path/to/bundle.crl This file contain multiple "Certificate Revocation List" (CRL) of certificate signers in PEM format concatenated together.

CARevocationPath /path/to/CRLs/ "Hash dir" with "Certificate Revocation List" (CRL) of certificate signers. Each CRL should be stored in separate file with name [HASH].r[NUMBER], where [HASH] is CRL hash value and [NUMBER] is an integer starting from zero. Hash is result from command like this: $ openssl crl -in crl_file_name -noout -hash

(first 3 Google hits on a search for "ssh ca revoke" ... )

draeath
  • 366