Chapter 6. Managing the validity of certificates in IdM

In Identity Management (IdM), you can manage the validity of both already existing certificates and certificates you want to issue in the future, but the methods are different.

6.1. Managing the validity of an existing certificate that was issued by IdM CA

In IdM, the following methods of viewing the expiry date of a certificate are available:

You can manage the validity of an already existing certificate that was issued by IdM CA in the following ways:

6.2. Managing the validity of future certificates issued by IdM CA

To manage the validity of future certificates issued by IdM CA, modify, import, or create a certificate profile. For details, see Creating and managing certificate profiles in Identity Management.

6.3. Viewing the expiry date of a certificate in IdM WebUI

You can use IdM WebUI to view the expiry date of all the certificates that have been issued by IdM CA.

Prerequisites

  • Ensure that you have obtained the administrator’s credentials.

Procedure

  1. In the Authentication menu, click Certificates > Certificates.
  2. Click the serial number of the certificate to open the certificate information page.

    Figure 6.1. List of Certificates

    A screenshot of the "Certificates" page of the IdM Web UI displaying a table of certificates. The certificates are organized by their Serial Numbers and their Subject. The Serial Number "3" is highlighted for the third certificate in the table.
  3. In the certificate information page, locate the Expires On information.

6.4. Viewing the expiry date of a certificate in the CLI

You can use the command-line interface (CLI) to view the expiry date of a certificate.

Procedure

  • Use the openssl utility to open the file in a human-readable format:

    $ openssl x509 -noout -text -in ca.pem
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 1 (0x1)
            Signature Algorithm: sha256WithRSAEncryption
            Issuer: O = IDM.EXAMPLE.COM, CN = Certificate Authority
            Validity
                Not Before: Oct 30 19:39:14 2017 GMT
                Not After : Oct 30 19:39:14 2037 GMT

6.5. Revoking certificates with the integrated IdM CAs

6.5.1. Certificate revocation reasons

A revoked certificate is invalid and cannot be used for authentication. All revocations are permanent, except for reason 6: Certificate Hold.

The default revocation reason is 0: unspecified.

Table 6.1. Revocation Reasons

IDReasonExplanation

0

Unspecified

 

1

Key Compromised

The key that issued the certificate is no longer trusted.

Possible causes: lost token, improperly accessed file.

2

CA Compromised

The CA that issued the certificate is no longer trusted.

3

Affiliation Changed

Possible causes:

* A person has left the company or moved to another department.

* A host or service is being retired.

4

Superseded

A newer certificate has replaced the current certificate.

5

Cessation of Operation

The host or service is being decommissioned.

6

Certificate Hold

The certificate is temporarily revoked. You can restore the certificate later.

8

Remove from CRL

The certificate is not included in the certificate revocation list (CRL).

9

Privilege Withdrawn

The user, host, or service is no longer permitted to use the certificate.

10

Attribute Authority (AA) Compromise

The AA certificate is no longer trusted.

6.5.2. Revoking certificates with the integrated IdM CAs using IdM WebUI

If you know you have lost the private key for your certificate, you must revoke the certificate to prevent its abuse. Complete this procedure to use the IdM WebUI to revoke a certificate issued by the IdM CA.

Procedure

  1. Click Authentication > Certificates > Certificates.
  2. Click the serial number of the certificate to open the certificate information page.

    Figure 6.2. List of Certificates

    A screenshot of the "Certificates" page of the IdM Web UI displaying a table of certificates. The certificates are organized by their Serial Numbers and their Subject. The Serial Number "3" is highlighted for the third certificate in the table.
  3. In the certificate information page, click ActionsRevoke Certificate.
  4. Select the reason for revoking and click Revoke. See Certificate revocation reasons for details.

6.5.3. Revoking certificates with the integrated IdM CAs using IdM CLI

If you know you have lost the private key for your certificate, you must revoke the certificate to prevent its abuse. Complete this procedure to use the IdM CLI to revoke a certificate issued by the IdM CA.

Procedure

  • Use the ipa cert-revoke command, and specify:

For example, to revoke the certificate with serial number 1032 because of reason 1: Key Compromised, enter:

$ ipa cert-revoke 1032 --revocation-reason=1

For details on requesting a new certificate, see the following documentation:

6.6. Restoring certificates with the integrated IdM CAs

If you have revoked a certificate because of reason 6: Certificate Hold, you can restore it again if the private key for the certificate has not been compromised. To restore a certificate, use one of the following procedures:

6.6.1. Restoring certificates with the integrated IdM CAs using IdM WebUI

Complete this procedure to use the IdM WebUI to restore an IdM certificate that has been revoked because of Reason 6: Certificate Hold.

Procedure

  1. In the Authentication menu, click Certificates > Certificates.
  2. Click the serial number of the certificate to open the certificate information page.

    Figure 6.3. List of Certificates

    A screenshot of the "Certificates" page of the IdM Web UI displaying a table of certificates. The certificates are organized by their Serial Numbers and their Subject. The Serial Number "3" is highlighted for the third certificate in the table.
  3. In the certificate information page, click ActionsRestore Certificate.

6.6.2. Restoring certificates with the integrated IdM CAs using IdM CLI

Complete this procedure to use the IdM CLI to restore an IdM certificate that has been revoked because of Reason 6: Certificate Hold.

Procedure

  • Use the ipa cert-remove-hold command and specify the certificate serial number. For example:

    $ ipa cert-remove-hold 1032