Skip to content

Revoke the intermediate CA certificate

Richard Crowley edited this page Apr 15, 2014 · 8 revisions

If your root CA's private key leaks you're out of luck and have to burn the whole PKI to the ground. If you have bad, but slightly less bad, luck and only your intermediate CA's private key leak you can recover.

First, take advantage of certified-ca(1) and certified(1) storing the history of your CA in a Git repository:

git --git-dir="etc/ssl/.git" log --pretty="format:%s" --reverse >"history.sh"

We'll use this shell script later.

Now, revoke every certificate issued by the compromised intermediate CA as well as the intermediate CA certificate itself (this will require the root CA private key and password):

certified-ls | xargs -I"_" certified --revoke CN="_"
certified-ca --revoke

Finally, regenerate all the certificates previously signed, starting with a new intermediate CA:

sh "history.sh"

Next: Home