66

I made an openssl certificate signed by the CA created on the local machine.

This certificate was deleted and I don't have it anymore.

It is impossible to create another certificate with the same commonName because openssl doesn't allow it and will generate the error:

failed to update database
TXT_DB error number 2

How can I revoke the certificate to create another one with the same commonName ?

leszek.hanusz
  • 5,152
  • 2
  • 38
  • 56

3 Answers3

89

(Based on Nilesh's answer) In the default configuration, openssl will keep copies of all signed certificates in /etc/ssl/newcerts, named by its index number. So grep /etc/ssl/index.txt to obtain the serial number of the key to be revoked, e.g. 1013, then execute the following command:

openssl ca -revoke /etc/ssl/newcerts/1013.pem #replacing the serial number

The -keyfile and -cert mentioned in Nilesh's answer are only required if that deviates from your openssl.cnf settings.

Alternatively you can also change /etc/ssl/index.txt.attr to contain the line

unique_subject = no

to allow multiple certificates with the same common name. If you have published the original certificate, revoking the old one is however the preferable solution, even if you don't run an OSCP server or provide CRLs.

Community
  • 1
  • 1
Tobias Kienzler
  • 25,759
  • 22
  • 127
  • 221
  • 4
    Great answer! Thanks a lot! For easy-rsa users it is: /etc/openvpn/easy-rsa/revoke-full /etc/openvpn/easy-rsa/01.pem and the list of all signed certificates with their index can be found in /etc/openvpn/easy-rsa/keys/index.txt – Thassilo Feb 17 '16 at 13:13
  • @Thassilo Good to know, thanks to you as well (and a slightly late welcome to SO as well :) – Tobias Kienzler Feb 18 '16 at 06:42
  • 2
    This is exactly what I needed. If anyone came here looking for help when they screwed up their revocation using OpenVPN's tool (like me), then you can copy the "revoke-full" script and make a change to it. You'll want to still maintain the CRL (Certificate revocation lists), so edit your copied 'revoke-full' and change the line for `$OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG"` to be: `$OPENSSL ca -revoke /etc/openvpn/easy-rsa/keys/YOUR-PEM.pem -config "$KEY_CONFIG"` – BoomShadow Jul 27 '16 at 23:24
  • 1
    Note, per https://serverfault.com/a/853068/454260 "But this setting is also saved in file index.txt.attr, you have to change this, too. Otherwise it will not work." – driedler Apr 15 '22 at 04:29
  • @driedler Thanks for the additional info! – Tobias Kienzler Apr 19 '22 at 18:51
11

I haven't tried this but it looks like you need something like this.

openssl ca -revoke bad_crt_file -keyfile ca_key -cert ca_crt

openssl automatically saves a copy of your cert at newcerts directory. You may want to check it to retrieve your certificate. Unfortunately you need a certificate present to revoke it. See the following for details: http://www.mad-hacking.net/documentation/linux/security/ssl-tls/revoking-certificate.xml

muru
  • 4,723
  • 1
  • 34
  • 78
Nilesh
  • 5,955
  • 3
  • 24
  • 34
  • 3
    Some more details (assuming default configuration): Grep `/etc/ssl/index.txt` to obtain the serial number of the key to be revoked, e.g. 1013, then just `openssl ca -revoke /etc/ssl/newcerts/1013.pem` (replacing the serial number) The `-keyfile` and `-cert` are only required if that deviates from your `openssl.cnf` settings – Tobias Kienzler Jan 31 '13 at 11:15
  • @TobiasKienzler This solved my problem. Perhaps it should be a full answer. – Michael Hampton Feb 24 '13 at 20:16
  • @MichaelHampton Glad to hear, I [reposted it](http://stackoverflow.com/a/15061804/321973) – Tobias Kienzler Feb 25 '13 at 07:12
5

Like the other answers say, openssl CA usually keeps a copy of signed certificates in a subdirectory (newcerts or certs, or keys with easyrsa. Look for new_certs_dir definition in the openssl.cnf file of your authority or -outdir option in the scripts).

Thus, the canonical way of doing is something along :

openssl ca -config openssl.cnf -revoke newcerts/hello-world.pem

However, I add this answer to note that, with current versions, openssl ca -revoke ... seems to only update the index.txt file (it will nevertheless ask for the private key password, which is questioned there) so if you really don't have any certificate backup but still have the index.txt or some way to retrieve the serial number, you can look up / make up the certificate line and change it :

# before
V   291008172120Z       6DB67443D7E6C2D95D6E2F7F264C05F944964049    unknown /C=FR/CN=coucou.com
# after
R   291008172120Z   191011172218Z   6DB67443D7E6C2D95D6E2F7F264C05F944964049    unknown /C=FR/CN=coucou.com

# Format is 6 fields, tab-separated, and filename is usually 'unknown' :
# CRL doesn't contain nor need the subject so if unavailable, just make up something close
V/R/E   expiration-date revocation-date serial-number   filename    subject

(tested with OpenSSL 1.1.1c. On some other version/environment, serial number can be much shorter)

The openssl ca -config openssl.cnf -gencrl -crldays 30 -out crl.pem will be the actual step to revoke the certificate, producing a signed list using the private key of the authority.

Chl
  • 401
  • 4
  • 8