ca-scripts/doc/ca-revoke-cert.pod

102 lines
3.3 KiB
Bash
Executable file

#! /bin/sh
if [ -z "$1" -o "$1" == "man" ]; then
exec /usr/bin/pod2man -n CA-REVOKE-CERT -s 1 -d "12 February 2010" \
-r "ca-scripts version 0.9" -c "SSL Certificate Authority utilities" $0
elif [ "$1" == "html" ]; then
exec /usr/bin/pod2html --title "ca-revoke-cert(1)" < $0
elif [ "$1" == "text" ]; then
exec /usr/bin/pod2text -o $0
fi
echo "Unrecognised output format '$1', try man, html, or text."
exit 1
=pod
=head1 NAME
ca-revoke-cert - revoke a certificate and re-generate CRL
=head1 SYNOPSIS
B<ca-revoke-cert> [B<-f> I<config>] [B<-t> I<type>] [B<-l> I<days>]
[B<-i> I<template>] [B<-o> I<file>] I<common name>|I<path to certificate>
B<ca-revoke-cert> [B<-h>] | [B<--help>]
=head1 DESCRIPTION
B<ca-revoke-cert> revokes certificates generated with ca-create-cert(1) and
updates the CA's certificate revocation lists in both PEM and DER-encoded
formats. It can also optionally generate an HTML file with MD5 and SHA1
fingerprints suitable for publishing the CA certificate and the CRL.
=head1 OPTIONS
B<ca-revoke-cert> can infer the correct cached configurations to use for
certificate revocation from the hostname of a I<server> or I<client>, the
username of a I<user>, or the path to a previously generated certificate of any
type.
=over
=item B<-t> I<TYPE>, B<--type> I<TYPE>
This argument overrides the type detection if multiple certificate types share
the same common name, telling B<ca-revoke-cert> what type of certificate it is
revoking, either I<server>, I<client>, or I<user>.
=item B<-f> I<FILE>, B<--config> I<FILE>
Load the ca-scripts configuration from I<FILE> instead of
I</etc/ca-scripts.conf>.
=item B<-l> I<DAYS>, B<--crl-days> I<DAYS>
Generate a CRL that is valid for I<DAYS> days instead of the default
B<CA_CRL_DAYS> set in the configuration file.
=item B<-i> I<FILE>, B<--template> I<FILE>
Use the index.html template in I<FILE> rather than the standard one provided
with ca-scripts. See the B<TEMPLATING> section of ca-scripts.conf(5) for more
details of the templating system. Hint: it's sed(1) based...
=item B<-o> I<FILE>, B<--output> I<FILE>
Generate a HTML page in I<FILE> suitable for serving your CA certificate and
revocation lists via HTTP. The default template is basic but provides MD5 and
SHA1 fingerprints of both files for verification purposes.
=back
=head1 BUGS
Probably. At the moment the revocation reason is hardcoded to "superseded";
this may change in future releases along with code to deal with key compromise.
Additionally, the CRLv2 extension I<issuingDistributionPoint> is not yet set in
generated CRLs due to requiring a very recent version of openssl(1).
These scripts will not handle configuring an OCSP server for you. OCSP is an
alternative method of checking the validity of X.509 certificates, and is
Worth Investigating. See ocsp(1ssl) and the
L<wikipedia entry|http://en.wikipedia.org/wiki/OCSP> for details.
=head1 AVAILABILITY
New releases of the ca-scripts utilities can be found at
L<the developer's website|http://www.pl0rt.org/code/ca-scripts>.
A L<git repository|git://git.pl0rt.org/alex/code/ca-scripts>
for development versions also exists.
=head1 AUTHORS
Copyright 2009, 2010 Alex Bramley a.bramley@gmail.com
=head1 SEE ALSO
ca-init(1), ca-create-cert(1), ca-renew-cert(1), ca-scripts.conf(5),
openssl(1ssl), ca(1ssl), x509(1ssl), and ocsp(1ssl).
=cut