Bug 2989

Summary: Revoking certificates when TrustedUserCAKeys-file contains multiple keys does not work
Product: Portable OpenSSH Reporter: Peter <peter>
Component: ssh-keygenAssignee: Assigned to nobody <unassigned-bugs>
Status: NEW ---    
Severity: normal CC: djm
Priority: P5    
Version: 7.9p1   
Hardware: amd64   
OS: FreeBSD   

Description Peter 2019-04-07 02:54:40 AEST 
If you are using multiple different CA-keys for authenticating users you list them (on per line) in a file and point to it using TrustedUserCAKeys. So far so good.

Let say I have TrustedUserCAKeys /etc/ssh/user_ca.pub i sshd_config.

But when you then try to revoke a certificate you would naturally use ssh-keygen -k -s /etc/ssh/user_ca.pub -f revoked.bin revoked, but this will not work. ssh-keygen will only revoke serials or key ids from the first CA in /etc/ssh/user_ca.pub
Comment 1 Damien Miller 2019-05-10 14:47:44 AEST 
Are you specifying "revoked" as a literal key? If so, these are revoked by the signature key in the certificate, not the one on the command line (I think).