cfssl
cfssl copied to clipboard
cloudflare
Revoking certs through the API
Hello,
I've been trying to revoke a certificate using the API. A few things I noted:
- the format of the Serial and AKI in 'certinfo' is different from the expected args for 'revoke'
- I can't get the API to revoke it at all. This is probably some encoding / format issue, but using curl with the same arguments failed
{"success":false,"result":null,"errors":[{"code":11200,"message":"failed to revoke the certificate: certificate not found"}],"messages":[]}
I've tried using the hex, upper hex, lower hex formats. Using cfssl made it work, but only using a lowercase hex version; Personally I'd propose to make certinfo print a lowercase, "%0x" version without the colons.
PS: do you have a chat channel / FAQ?
Thanks for the feedback. Yes the indexing of the certificate in the db may need some work to get it more robust against different way of encoding. I will investigate it a bit more.
cert revocation is an ongoing project right now so we don't have mature FAQ for that matter. Issues are welcomed!
Thanks.
The docs say:
$ curl -d '{"serial": "7961067322630364137", \
"aki": "00:01:02:03:04:05:07", \
"reason": "superseded"}' \
${CFSSL_HOST}/api/v1/cfssl/revoke
What the current API wants:
$ curl -d '{"serial": "7961067322630364137", \
"authority_key_id": "a7d80eb08e3c005f98533570545c6b4a3c9d01f0", \
"reason": "superseded"}' \
${CFSSL_HOST}/api/v1/cfssl/revoke
If you tell me which is the intended one, I'll create a PRs
- to make "certinfo" print the correctly formatted aki
- fix the docs or fix the type jsonRevokeRequest in https://github.com/cloudflare/cfssl/blob/master/api/revoke/revoke.go#L32?
Not that my opinion carries any weight, but I'd vote for fixing certinfo. I found that the current implementation of formatKeyID strips the leading zero from each byte (that has one) - makes going from the AKI in cert info to the one required by revoke all the more complicated.
Means the AKI shown in @giganteous's second example would appear as:
A7:D8:E:B0:8E...
instead of
A7:D8:0E:B0:8E...
Hi,
I'm trying to revoke a certificate through the api. This certificate is signed by cfssl and stored in the PostgreSQL database. I try with the different elements given by the cfssl certinfo command:
"serial_number": "681423656269620530236478209087300317087264653063",
"authority_key_id": "36:CB:D9:A8:CD:1D:B4:5B:E7:DD:FE:EF:55:58:6:CC:5D:F0:5:17",
So I'm creating the following revoke.json file
{"serial": "681423656269620530236478209087300317087264653063", "authority_key_id": "36cbd9a8cd1db45be7ddfeef55586cc5df0517", "reason": "superseded"}
because I understood reading this bug report authority_key_id should be lower case and no ":" but I still get
{"success":false,"result":null,"errors":[{"code":11200,"message":"failed to revoke the certificate: certificate not found"}],"messages":[]}
Any help appreciated because I' ve the feeling I'm so close :)
As I said slightly higher up: the remote api works, if you "patch" your aki with zero's. In your case: add a 0 before the 5 three nibbles from the end, then strip all colons, and the remote api will work.
Then it works, and you will realize it is a little insecure in its current design. So we need to hang on, sit tight. @lziest might know if there is some place to discuss the direction of the design?
Certificate Revocation issue with the Remote API/cfssl:
Created a new Cert and the log shows as
2017/06/26 18:47:58 [INFO] request for CSR 2017/06/26 18:47:58 [INFO] generate received request 2017/06/26 18:47:58 [INFO] received CSR 2017/06/26 18:47:58 [INFO] generating key: ecdsa-256 2017/06/26 18:47:58 [DEBUG] generate key from request: algo=ecdsa, size=256 2017/06/26 18:47:58 [INFO] encoded CSR 2017/06/26 18:47:58 [INFO] signed certificate with serial number 613150405139278474446431593601953564578963078176 2017/06/26 18:47:58 [DEBUG] saved certificate with serial number 613150405139278474446431593601953564578963078176 2017/06/26 18:47:58 [INFO] 127.0.0.1:56712 - "POST /api/v1/cfssl/newcert" 200
Now I want to revoke the certificate using the api curl -d '{ "serial": "613150405139278474446431593601953564578963078176", "authority_key_id": "12345678901234567890123456789000", "reason": "superseded" }' ${caaddress}:8888/api/v1/cfssl/revoke
Curl output: {"success":false,"result":null,"errors":[{"code":11200,"message":"failed to revoke the certificate: certificate not found"}],"messages":[]}
Error Log on console: 2017/06/26 20:54:52 [INFO] 127.0.0.1:56746 - "POST /api/v1/cfssl/revoke" 11200
CFSSL Version Details:
cfssl version Version: 1.2.0 Revision: dev Runtime: go1.8.3
Postgres DB Details: postgres-# \encoding UTF8 postgres-# \d certificates serial_number | bytea | not null authority_key_identifier | bytea | not null ca_label | bytea | status | bytea | not null reason | integer | expiry | timestamp with time zone | revoked_at | timestamp with time zone | pem | bytea | not null
Number of rows is also increasing when I create new certificates.
After spending some significant time to choose an internal CA among the various existing internal CAs, we selected cfssl as internal CA because it has all the features and goodies what we are looking and at the final step I am kind of blocked. Any kind of help is appreciated ?
Note: Behavior is same, even if I revoke using the 'cfssl' command line tool.
The "authority_key_id": "12345678901234567890123456789000" is real? The value is supposed to be the "subject key identifier" from the CA certificate.
@chaica would you use "36cbd9a8cd1db45be7ddfeef55586cc5df00517", notice that ":5" needs to be "0x05".
@lziest Thanks for pointing out and timely response. cfssl certinfo -cert=dummy.pem ...... "authority_key_id": "E2:F5:9E:1F:F3:A7:E4:30:A5:12:6C:8E:4B:EF:11:DF:1B:FB:9B:92", "subject_key_id": "10:2C:CC:72:7D:80:61:A1:F2:CA:5D:7C:C:C3:EF:D3:19:14:53:7A",
I tried all 4 combinations for authority_key_id argument of remote API.
- 102CCC727D8061A1F2CA5D7CCC3EFD31914537A (subject_key_id with Upper case )
- 102ccc727d8061a1f2ca5d7ccc3efd31914537a ( subject_key_id with lower case)
- E2F59E1FF3A7E430A5126C8E4BEF11DF1BFB9B92 (authority_key_id with upper case)
- e2f59e1ff3a7e430a5126c8e4bef11df1bfb9b92 (authority_key_id with lower case)
I am able to make it work by using authority_key_id data in '4' using curl curl --trace-ascii /dev/stdout -d '{ "serial": "'"$serial_num"'", "authority_key_id": "e2f59e1ff3a7e430a5126c8e4bef11df1bfb9b92", "reason": "superseded" }' ${caaddress}:8888/api/v1/cfssl/revoke
Final conclusion is remote API for revoke is working with very minor adjustments to API arguments.
I am trying to revoke a certificate too, when running the command cfssl certinfo on the certificate i get empty field
"serial_number": "306497094254707834533778298582528839065034964409",
"not_before": "2022-07-25T11:42:00Z",
"not_after": "2027-07-24T11:42:00Z",
"sigalg": "SHA512WithRSA",
"authority_key_id": "",
"subject_key_id": "C5:04:6A:C0:1C:34:55:DB:E9:65:6E:E3:0A:57:84:A9:5F:3C:4E:A8",
What should i do in this case since it tells me the same error:
{"success":false,"result":null,"errors":[{"code":11200,"message":"failed to revoke the certificate: certificate not found"}],"messages":[]}
