ca-scripts/doc/ca-revoke-cert.pod

94 lines
2.9 KiB
Text
Raw Normal View History

2010-02-16 01:35:57 -05:00
#! /bin/sh
if [ -z "$1" -o "$1" == "man" ]; then
exec /usr/bin/pod2man -n CA-REVOKE-CERT -s 1 -d "12 February 2010" \
-r "ca-scripts version 0.9" -c "SSL Certificate Authority utilities" $0
elif [ "$1" == "html" ]; then
exec /usr/bin/pod2html --title "ca-revoke-cert(1)" < $0
elif [ "$1" == "text" ]; then
exec /usr/bin/pod2text -o $0
fi
echo "Unrecognised output format '$1', try man, html, or text."
exit 1
=pod
=head1 NAME
ca-revoke-cert - revoke a certificate and re-generate CRL
=head1 SYNOPSIS
B<ca-revoke-cert> [B<-f> I<config>] [B<-t> I<type>] [B<-l> I<days>]
[B<-i> I<template>] [B<-o> I<file>] I<common name>|I<path to certificate>
2010-02-16 01:35:57 -05:00
B<ca-revoke-cert> [B<-h>] | [B<--help>]
=head1 DESCRIPTION
B<ca-revoke-cert> revokes certificates generated with ca-create-cert(1) and
updates the CA's certificate revocation lists in both PEM and DER-encoded
formats. It can also optionally generate an HTML file with MD5 and SHA1
fingerprints suitable for publishing the CA certificate and the CRL.
=head1 OPTIONS
B<ca-revoke-cert> can infer the correct cached configurations to use for
certificate revocation from the hostname of a I<server> or I<client>, the
username of a I<user>, or the path to a previously generated certificate of any
type.
=over
=item B<-t> I<TYPE>, B<--type> I<TYPE>
This argument overrides the type detection if multiple certificate types share
the same common name, telling B<ca-revoke-cert> what type of certificate it is
revoking, either I<server>, I<client>, or I<user>.
2010-02-16 01:35:57 -05:00
=item B<-f> I<FILE>, B<--config> I<FILE>
Load the ca-scripts configuration from I<FILE> instead of
I</etc/ca-scripts.conf>.
=item B<-i> I<FILE>, B<--template> I<FILE>
Use the index.html template in I<FILE> rather than the standard one provided
with ca-scripts. See the B<TEMPLATING> section of ca-scripts.conf(5) for more
details of the templating system. Hint: it's sed(1) based...
=item B<-o> I<FILE>, B<--output> I<FILE>
Generate a HTML page in I<FILE> suitable for serving your CA certificate and
revocation lists via HTTP. The default template is basic but provides MD5 and
SHA1 fingerprints of both files for verification purposes.
=back
=head1 BUGS
Probably. At the moment the revocation reason is hardcoded to "superseded";
this may change in future releases along with code to deal with key compromise.
Additionally, the CRLv2 extension I<issuingDistributionPoint> is not yet set in
generated CRLs due to requiring a very recent version of openssl(1).
=head1 AVAILABILITY
New releases of the ca-scripts utilities can be found at
L<the developer's website|http://www.pl0rt.org/code/ca-scripts>.
A L<git repository|git://git.pl0rt.org/alex/code/ca-scripts>
for development versions also exists.
=head1 AUTHORS
Copyright 2009, 2010 Alex Bramley a.bramley@gmail.com
=head1 SEE ALSO
ca-init(1), ca-create-cert(1), ca-renew-cert(1), ca-scripts.conf(5),
openssl(1ssl), ca(1ssl), req(1ssl), x509(1ssl), config(5ssl), and
x509v3_config(5ssl).
=cut