7.2. Performing a CMC Revocation

Similar to Certificate Management over CMS (CMC) enrollment, CMC revocation enables users to set up a revocation client, and sign the revocation request with either an agent certificate or a user certificate with a matching subjectDN attribute. Then the user can send the signed request to the Certificate Manager.
Alternatively, CMC revocation can also be authenticated using the Shared Secret Token mechanism. For details, see Enabling the CMC Shared Secret Feature.
Regardless of whether a user or agent signs the request or if a Shared Secret Token is used, the Certificate Manager automatically revokes the certificate when it receives a valid revocation request.
Certificate System provides the following utilities for CMC revocation requests:

Important

Red Hat recommends using the CMCRequest utility to generate CMC revocation requests, because it provides more options than CMCRevoke.

7.2.1. Revoking a Certificate Using CMCRequest

To revoke a certificate using CMCRequest:
  1. Create a configuration file for the CMC revocation request, such as /home/user_name/cmc-request.cfg, with the following content: 
    #numRequests: Total number of PKCS10 requests or CRMF requests.
numRequests=1

#output: full path for the CMC request in binary format
output=/home/user_name/cmc.revoke.userSigned.req

#tokenname: name of token where user signing cert can be found
#(default is internal)
tokenname=internal

#nickname: nickname for user signing certificate which will be used
#to sign the CMC full request.
nickname=signer_user_certificate

#dbdir: directory for cert8.db, key3.db and secmod.db
dbdir=/home/user_name/.dogtag/nssdb/

#password: password for cert8.db which stores the user signing
#certificate and keys
password=myPass

#format: request format, either pkcs10 or crmf.
format=pkcs10

## revocation parameters
revRequest.enable=true
revRequest.serial=45
revRequest.reason=unspecified
revRequest.comment=user test revocation
revRequest.issuer=issuer
revRequest.sharedSecret=shared_secret
  2. Create the CMC request: 
    # CMCRequest /home/user_name/cmc-request.cfg
    If the command succeeds, the CMCRequest utility stores the CMC request in the file specified in the output parameter in the request configuration file.
  3. Create a configuration file, such as /home/user_name/cmc-submit.cfg, which you use in a later step to submit the CMC revocation request to the CA. Add the following content to the created file: 
    #host: host name for the http server
host=>server.example.com

#port: port number
port=8443

#secure: true for secure connection, false for nonsecure connection
secure=true

#input: full path for the enrollment request, the content must be
#in binary format
input=/home/user_name/cmc.revoke.userSigned.req

#output: full path for the response in binary format
output=/home/user_name/cmc.revoke.userSigned.resp

#tokenname: name of token where SSL client authentication certificate
#can be found (default is internal)
#This parameter will be ignored if secure=false
tokenname=internal

#dbdir: directory for cert8.db, key3.db and secmod.db
#This parameter will be ignored if secure=false
dbdir=/home/user_name/.dogtag/nssdb/

#clientmode: true for client authentication, false for no client
#authentication. This parameter will be ignored if secure=false
clientmode=true

#password: password for cert8.db
#This parameter will be ignored if secure=false and clientauth=false
password=password

#nickname: nickname for client certificate
#This parameter will be ignored if clientmode=false
nickname=signer_user_certificate

    Important

    If the CMC revocation request is signed, set the secure and clientmode parameters to true and, additionally, fill the nickname parameter.
  4. Depending on who signed the request, the servlet parameter in the configuration file for HttpClient must be set accordingly:
    • If an agent signed the request, set: 
      servlet=/ca/ee/ca/profileSubmitCMCFull
    • If a user signed the request, set: 
      servlet=/ca/ee/ca/profileSubmitSelfSignedCMCFull
  5. Submit the CMC request: 
    # HttpClient /home/user_name/cmc-submit.cfg
For further details about revoking a certificate using CMCRequest, see the CMCRequest(1) man page.

7.2.2. Revoking a Certificate Using CMCRevoke

The CMC revocation utility, CMCRevoke, is used to sign a revocation request with an agent's certificate. This utility simply passes the required information — certificate serial number, issuer name, and revocation reason — to identify the certificate to revoke, and then the require information to identify the CA agent performing the revocation (certificate nickname and the database with the certificate).
The reason the certificate is being revoked can be any of the following (with the number being the value passed to the CMCRevoke utility):
  • 0 — unspecified
  • 1 — the key was compromised
  • 2 — the CA key was compromised
  • 3 — the employee's affiliation changed
  • 4 — the certificate has been superseded
  • 5 — cessation of operation
  • 6 — the certificate is on hold
The available tool arguments are described in detail in the Command-Line Tools Guide.

7.2.2.1. Testing CMCRevoke

  1. Create a CMC revocation request for an existing certificate. 
    CMCRevoke -d/path/to/agent-cert-db -nnickname -iissuerName -sserialName -mreason -ccomment
    For example, if the directory containing the agent certificate is ~jsmith/.mozilla/firefox/, the nickname of the certificate is AgentCert, and the serial number of the certificate is 22, the command is as shown: 
    CMCRevoke -d"~jsmith/.mozilla/firefox/" -n"ManagerAgentCert" -i"cn=agentAuthMgr" -s22 -m0 -c"test comment"

    Note

    Surround values that include spaces in quotation marks.

    Important

    Do not have a space between the argument and its value. For example, giving a serial number of 26 is -s26, not -s 26.
  2. Open the end-entities page. 
    https://server.example.com:8443/ca/ee/ca
  3. Select the Revocation tab.
  4. Select the CMC Revoke link on the menu.
  5. Paste the output from the CMCRevoke into the text area.
  6. Remove -----BEGIN NEW CERTIFICATE REQUEST----- and ----END NEW CERTIFICATE REQUEST----- from the pasted content.
  7. Click Submit.
  8. The returned page should confirm that correct certificate has been revoked.