Menu
I made an openssl certificate signed by the CA created on the local machine.
This certificate was deleted and I don't have it anymore.
It is impossible to create another certificate with the same commonName because openssl doesn't allow it and will generate the error:
failed to update database TXT_DB error number 2 How can I revoke the certificate to create another one with the same commonName ?
489
A certificate should be revoked immediately when its private key shows signs of being compromised. It should also be revoked when the domain for which it was issued is no longer operational.
(Based on Nilesh's answer) In the default configuration, openssl will keep copies of all signed certificates in /etc/ssl/newcerts, named by its index number. So grep /etc/ssl/index.txt to obtain the serial number of the key to be revoked, e.g. 1013, then execute the following command:
openssl ca -revoke /etc/ssl/newcerts/1013.pem #replacing the serial number The -keyfile and -cert mentioned in Nilesh's answer are only required if that deviates from your openssl.cnf settings.
Alternatively you can also change /etc/ssl/index.txt.attr to contain the line
unique_subject = no to allow multiple certificates with the same common name. If you have published the original certificate, revoking the old one is however the preferable solution, even if you don't run an OSCP server or provide CRLs.
85
I haven't tried this but it looks like you need something like this.
openssl ca -revoke bad_crt_file -keyfile ca_key -cert ca_crt openssl automatically saves a copy of your cert at newcerts directory. You may want to check it to retrieve your certificate. Unfortunately you need a certificate present to revoke it. See the following for details: http://www.mad-hacking.net/documentation/linux/security/ssl-tls/revoking-certificate.xml
33
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
