certrevoke Command

Purpose

certrevoke revokes a user certificate.

Syntax

certrevoke [-S servicename] { -f file -l label [-p privatekeystore] | tag [user-name]}

Description

The certrevoke command is used to revoke certificates issued by a certificate authority which is part of the system's domain. The -S option specifies which service to use while revoking a certificate. Available services are defined in /usr/lib/security/pki/ca.cfg. Certificate requests without the -S option are created using the local service. An error is returned if you specify a servicename which does not have an entry in the /usr/lib/security/pki/ ca.cfg file.

If the -f option is selected, the certificate shall be read from the named file, or stdin if the name is "-". Certificates must be in DER format. Whenever the user specifies the -f option, the label of the private key matching the public key must also be specified. If the user does not provide the location of the private keystore, the default location will be used.

If the -f option is not specified, the invoker must provide the tag value and optional username for the certificate to be revoked. If invoked without the username parameter, the certrevoke command will use the name of the current user.

The -l option will be used to retrieve the private key matching the public key in the certificate that is to be revoked. The certrevoke command will fail if the user is unable to demonstrate the ownership of the private key matching the public key that is to be revoked. The certrevoke command will ask the user a password before actually performing the certificate revocation. The command may fail if it is unable to open /dev/tty for the current process.

Flags

Item Description
-S servicename Specifies which service module to use.
-f file Specifies that the certificate to be revoked will be read form file.
-l label Specifies the label associated with the private key of the certificate to be revoked.
-p privatekeystore Specifies the location of the private keystore.

Exit Status

Item Description
0 The command completed successfully.
>0 An error occurred.

Security

This is a setuid command.

Root and invokers belonging to group security can revoke anybody's certificate. Root will revoke the the certificate using the revocation passphrase. Revocation passphrase is specified in the /usr/lib/security/ pki/acct.cfg file.

A non-privileged user can only revoke certificates that they own. They have to demonstrate that they own the private key matching to the public key in the certificate to be revoked.

Audit

This command records the following event information:

CERT_Revoke <username>

Examples

To revoke the certificate signcert owned by Bob, enter:
$ certrevoke signcert bob
To revoke a certificate in file cert.der, enter:
$ certrevoke cert.der

Files

/usr/lib/security/pki/ca.cfg