Question on "step ssh revoke" #1943
-
|
I am able to revoke a certificate with the simple command Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Hey @CoderMcDaniel, When revoking an SSH certificate, the SSH certificate gets recorded as being revoked on the CA side. The result of this is that the SSH certificate can't be used to renew itself, so that it'll eventually expire, and will no longer be usable. Currently the command does not interact with your local SSH agent, which is something we could look into adding, but in the end it's the SSH daemon that must verify the SSH certificate, so just removing it from the SSH agent won't get you to a 100% "blocking of the cert", so to speak. Currently SSH certificate revocation relies on passive revocation, meaning that when the SSH certificate is revoked, it'll eventually expire and not be renewed (unless reauthenticated in some way). Revocation is thus not immediate. For active revocation you'll need a so-called Key Revocation List (KRL), but currently |
Beta Was this translation helpful? Give feedback.
-
|
Thanks so much for the thorough explanation. That helps 100%. Chris |
Beta Was this translation helpful? Give feedback.
Hey @CoderMcDaniel,
When revoking an SSH certificate, the SSH certificate gets recorded as being revoked on the CA side. The result of this is that the SSH certificate can't be used to renew itself, so that it'll eventually expire, and will no longer be usable. Currently the command does not interact with your local SSH agent, which is something we could look into adding, but in the end it's the SSH daemon that must verify the SSH certificate, so just removing it from the SSH agent won't get you to a 100% "blocking of the cert", so to speak.
Currently SSH certificate revocation relies on passive revocation, meaning that when the SSH certificate is revoked, it'll eventually expire and not …