Revoke-ACMECertificiate - Given Certificate as Input (rather than an order)

[GeorgeSchiro]

Happy New Year!

In #13 we briefly discussed certificate revocation. You suggested that you could add an implementation that accepts the certificate itself as input (rather than an ACME order).

I responded "Clearly you must be given the private key. In what form? PFX file?"

Any feel for when you might work on this Thomas?

[glatzert]

Hi George,

ACME allows two ways to revoke the certificate:
Either via certificate pem and account key or
via certificate pem and certificate key.

The first one is implemented (via passing the order, which will (if not called with the paramters preventing it) store the certificate pem along the order itself) but untested.

The second one is currently not implemented, and I am not sure, HOW I would implement it.
I'll see, if I can convert the pfx to .der and use that.

I'll (try to) provide the following parameter sets:

• State + Order
• State + PEM
• State + PFX
• PFX

[GeorgeSchiro]

Since we don't keep orders beyond their initial use (ie. acquiring the new certificate), we are in favor of the "PFX" approach.

We are already using OpenSSL to convert PFX to PEM (and vice-versa) to resolve another issue (don't recall the issue number), so we know a PEM file can contain the certificate's private key.

If the PEM already contains the certificate key, what did you mean by "or via certificate pem and certificate key" ?

[glatzert]

If the PEM already contains the certificate key, what did you mean by "or via certificate pem and certificate key" ?

if you want to revoke a certificate the request needs to be signed. Either with the account key (simple, since it's implemented) or via the certificate key (probably simple, but needs to be converted into Json Web Key).

I can implement State + PEM (public key only) very easily. Will do on the weekend.

[GeorgeSchiro]

Can you get the certificate key (the private key, used for signing the revocation request) from the PEM as well?

[glatzert]

I will tell you as soon as I know the answer.

[glatzert]

It seems i can export the public key from the pfx, so it should be possible to implement it. (at least some tests around the matter have been successfull today)

[GeorgeSchiro]

FYI, I found this: Revoking certificates (see "Using the certificate private key").

While a simple revocation call makes our lives easier, can you imagine the havoc a hacker could inflict if and when he gets a hold of your private key? It's not just about faking your site and swindling users (hard), but with access to a simple revocation mechanism a hacker can easily bring down your site by invalidating your certificate (again, assuming the private key has been compromised).

I really expected that revocation would have entailed a challenge from a site-owned server (similar to what's required for getting the certificate in the first place). But hey, what do I know!

[glatzert]

I think, if a hacker gets hold of your private key, the revocation of an ssl certificate might be one of the smaller problems your environment has (hey, thanks to LE you might just get a new cert).
Read about Ransom PKP, that's fun also ;)

[glatzert]

If you are feeling lucky, you might want to take a look into the dist folder of cert-revokation branch.
It currently needs the account key, since using the cert key is a bigger thing (I will implement that in the future, but it affects the Invoke-SignedRequest function, which everything depends upon...)

[GeorgeSchiro]

Any sense for an ETA on the cert key implementation Thomas?

[glatzert]

Not yet, I have some work to do for my customers, which has priority over this (I think it's two weeks worth of work).
Nevertheless using the account key and the certificate should already work.

[glatzert]

So I was looking into the whole complex around using certificates to revoke a certificate and .. uff .. That's a lot of work - especially since I'd probably need more dependencies to NuGet packages, which will allow JW-Tokens, -Keys, etc. from X509Certificates.

So I won't make any promises about when that'll make it into the module.

[glatzert]

1.4.0-beta includes Revoke-AcmeCertificate with many different Parameter-Sets (all wildly untested). If you provide an PFX file or X509Certificate, that includes the private key, it will use that key (or should) to sign the request.

[GeorgeSchiro]

Sorry for the delay getting to this Thomas. Would you prefer the typical bug report (ie. new issue)? Or would you prefer that I paste what I am seeing here?