14.3.8. Revoking an SSH CA Certificate

If a certificate is stolen, it should be revoked. Although OpenSSH does not provide a mechanism to distribute the revocation list it is still easier to create the revocation list and distribute it by other means then to change the CA keys and all host and user certificates previously created and distributed.

Keys can be revoked by adding them to the revoked_keys file and specifying the file name in the sshd_config file as follows:

RevokedKeys /etc/ssh/revoked_keys

Note that if this file is not readable, then public key authentication will be refused for all users.

To test if a key has been revoked, query the revocation list for the presence of the key. Use a command as follows:

ssh-keygen -Qf /etc/ssh/revoked_keys ~/.ssh/id_rsa.pub

A user can revoke a CA certificate by changing the cert-authority directive to revoke in the known_hosts file.