Chapter 23. Invalidating a specific group of related certificates quickly
As a system administrator, if you want to be able to invalidate a specific group of related certificates quickly:
- Design your applications so that they only trust certificates that were issued by a specific lightweight Identity Management (IdM) sub-CA. Afterwards, you will be able to invalidate all these certificates by only revoking the certificate of the Identity Management (IdM) sub-CA that issued these certificates. For details on how to create and use a lightweight sub-CA in IdM, see Invalidating a specific group of related certificates quickly.
To ensure that all the certificates that have been issued by the to-be-revoked IdM sub-CA are immediately invalid, configure applications that rely on such certificates to use the IdM OCSP responders. For example, to configure the Firefox browser to use OCSP responders, make sure that the
Query OCSP responder servers to confirm the current validity of certificates
checkbox is checked in Firefox Preferences.In IdM, the certificate revocation list (CRL) is updated every four hours. d To invalidate all the certificates issued by an IdM sub-CA, revoke the IdM sub-CA certificate. In addition, disable the relevant CA ACLs, and consider disabling the IdM sub-CA. Disabling the sub-CA prevents the sub-CA from issuing new certificates, but allows Online Certificate Status Protocol (OCSP) responses to be produced for previously issued certificates because the sub-CA’s signing keys are retained.
Do not delete the sub-CA if you use OCSP in your environment. Deleting the sub-CA deletes the signing keys of the sub-CA, preventing production of OCSP responses for certificates issued by that sub-CA.
The only scenario when deleting a sub-CA is preferable to disabling it is when you want to create a new sub-CA with the same Subject distinguished name (DN) but a new signing key.
23.1. Disabling CA ACLs in IdM CLI
When you want to retire an IdM service or a group of IdM services, consider disabling any existing corresponding CA ACLs.
Follow this procedure to disable the TLS_web_server_authentication CA ACL that restricts the web server running on your IdM client to request a certificate to be issued by the webserver-ca
IdM sub-CA, and to disable the TLS_web_client_authentication CA ACL that restricts IdM users to request a user certificate to be issued by the webclient-ca
IdM sub-CA.
Procedure
Optional: To view all the CA ACLs in your IdM environment, enter the
ipa caacl-find
command:$ ipa caacl-find ----------------- 3 CA ACLs matched ----------------- ACL name: hosts_services_caIPAserviceCert Enabled: TRUE ACL name: TLS_web_server_authentication Enabled: TRUE ACL name: TLS_web_client_authentication Enabled: TRUE
Optional: To view the details of a CA ACL, enter the
ipa caacl-show
command, and specify the CA ACL name:$ ipa caacl-show TLS_web_server_authentication ACL name: TLS_web_server_authentication Description: CAACL for web servers authenticating to web clients using certificates issued by webserver-ca Enabled: TRUE CAs: webserver-ca Profiles: caIPAserviceCert Services: HTTP/rhel8server.idm.example.com@IDM.EXAMPLE.COM
To disable a CA ACL, enter the
ipa caacl-disable
command, and specify the CA ACL name.To disable the TLS_web_server_authentication CA ACL, enter:
$ ipa caacl-disable TLS_web_server_authentication ------------------------------------------------- Disabled CA ACL "TLS_web_server_authentication" -------------------------------------------------
To disable the TLS_web_client_authentication CA ACL, enter:
$ ipa caacl-disable TLS_web_client_authentication ------------------------------------------------- Disabled CA ACL "TLS_web_client_authentication" -------------------------------------------------
The only enabled CA ACL now is the hosts_services_caIPAserviceCert CA ACL.
ImportantBe extremely careful about disabling the
hosts_services_caIPAserviceCert
CA ACL. Disablinghosts_services_caIPAserviceCert
, without another CA ACL granting IdM servers use of theipa
CA with thecaIPAserviceCert
profile means that certificate renewal of the IdMHTTP
andLDAP
certificates will fail. The expired IdMHTTP
andLDAP
certificates will eventually cause IdM system failure.
23.2. Disabling an IdM sub-CA
After revoking the CA certificate of an IdM sub-CA to invalidate all the certificates issued by that sub-CA, consider disabling the IdM sub-CA if you no longer need it. You can re-enable the sub-CA at a later time.
Disabling the sub-CA prevents the sub-CA from issuing new certificates, but allows Online Certificate Status Protocol (OCSP) responses to be produced for previously issued certificates because the sub-CA’s signing keys are retained.
Prerequisites
- You are logged in as IdM administrator.
Procedure
Enter the
ipa ca-disable
command and specify the name of the sub-CA:$ ipa ca-disable webserver-CA -------------------- Disabled CA "webserver-CA" --------------------