Bug 2989 - Revoking certificates when TrustedUserCAKeys-file contains multiple keys does not work
Summary: Revoking certificates when TrustedUserCAKeys-file contains multiple keys does...
Status: NEW
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh-keygen (show other bugs)
Version: 7.9p1
Hardware: amd64 FreeBSD
: P5 normal
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-07 02:54 AEST by Peter
Modified: 2019-05-10 14:47 AEST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Peter 2019-04-07 02:54:40 AEST 
If you are using multiple different CA-keys for authenticating users you list them (on per line) in a file and point to it using TrustedUserCAKeys. So far so good.

Let say I have TrustedUserCAKeys /etc/ssh/user_ca.pub i sshd_config.

But when you then try to revoke a certificate you would naturally use ssh-keygen -k -s /etc/ssh/user_ca.pub -f revoked.bin revoked, but this will not work. ssh-keygen will only revoke serials or key ids from the first CA in /etc/ssh/user_ca.pub
Comment 1 Damien Miller 2019-05-10 14:47:44 AEST 
Are you specifying "revoked" as a literal key? If so, these are revoked by the signature key in the certificate, not the one on the command line (I think).