Setting Up Cmc Revocation; Testing Cmc Revoke - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual

6.2.1. Setting up CMC Revocation

To use CMC to revoke certificates, do the following:
• Set up an instance of the CMCAuth Authentication plug-in module. An instance is enabled and
configured by default.
• Use the agent certificate to sign revocation requests.
6.2.1.1. About the revoker Utility
The CMC revocation utility, revoker, is used to sign a revocation request with an agent's certificate.
This utility has the following syntax:
revoker -d /instance/alias/ -n cert_nickname -i issuerName -s serialName
-m reason -c comment
-d is the directory where the cert8.db, key3.db, and secmod.db databases containing the agent
certificate are located. -n is the nickname of the agent's certificate. -i is the issuer name of the
certificate being revoked. -s is the serial number of the certificate being revoked in decimal value. -m
is the reason the certificate is being revoked, which can be any of the following:
• 0 — unspecified
• 1 — the key was compromised
• 2 — the CA key was compromised
• 3 — the employee's affiliation changed
• 4 — the certificate has been superseded
• 5 — cessation of operation
• 6 — the certificate is on hold
-c adds comments about the request.
NOTE
Surround values that include spaces in quotation marks.

6.2.2. Testing CMC Revoke

1. Create a CMC revocation request for an existing certificate.
revoker -d /instance/alias -n nickname -i issuerName -s serialName -m reason -c comment
For example, if the directory containing the agent certificate is /var/lib/pki-ca/alias,
the nickname of the certificate is AgentCert, and the serial number of the certificate is 22, the
command is as shown:
Setting up CMC Revocation
173