Generating the Key Revocation List (KRL)

The KRL is a compact binary format which allows revoking SSH signed certificates.

Create an empty revoking list:

❯ touch /etc/ssh/revoked_keys

Update /etc/ssh/sshd_config to include the new Key Revocation List:

❯ RevokedKeys /etc/ssh/revoked_keys

When necessary, revoke the first signed certificate:

❯ ssh-keygen -k -f revoked_keys -s sshuser.root.ca.pub foo-cert.pub

When necessary, append more revoked certificates (using -u):

❯ ssh-keygen -k -f revoked_keys -s sshuser.root.ca.pub -u bar-cert.pub

Confirm that revocation worked:

❯ ssh-keygen -Qf revoked_keys foo-cert.pub

Distribute the updated revoked_keys to every host (/etc/ssh/revoked_keys) using rsync, scp or other orchestration utility.

NOTE: ssh-keygen should not require the signed public certificate to revoke it. Instead, using just the serial number should work. However, this is currently not working on OpenSSH 7.2p2 (Ubuntu).

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

generating-the-key-revocation-list-krl.md

generating-the-key-revocation-list-krl.md

Generating the Key Revocation List (KRL)

Files

generating-the-key-revocation-list-krl.md

Latest commit

History

generating-the-key-revocation-list-krl.md

File metadata and controls

Generating the Key Revocation List (KRL)