Hi, The ssh-keygen command allows generation of a KRL in a binary format. It also has a command line option (-Q) to check if a specific certificate/public key is on the KRL. I did not find any command that will display the full content of a KRL so see which certificates/serial nr/hashes are on the revocation list. It would be nice to have such a command so we can easily check which certificates have been revoked in the past. Regards, Rik
Created attachment 3367 [details] Support for dumping KRL contents via ssh-keygen This patch adds support for dumping KRL contents via "ssh-keygen -Qlf /path/krl" The dump format is similar to the KRL specification format described in ssh-keygen(1)'s KEY REVOCATION section. Some things we need to print don't fit the format, so I print them as comments. Example: > $ ssh-keygen -lQf obj/krl-all > # KRL version 0 > # Generated at 20200313T181736 > > hash: SHA256:SHA256:s8ltKq+ldDA2KIlB5dqI0BfEI4UyV+pJujwg6Q2uKIU # ssh-dss > hash: SHA256:SHA256:zbEIKMbhOkp/jZWE/cW67PnEwSyv0Oju1c4PH1N70/k # ssh-ed25519 > hash: SHA256:SHA256:VZS9t21+vjrGDece9Pc6i23kPcVw5QsVOtxBCuIOyRw # ecdsa-sha2-nistp256 > hash: SHA256:SHA256:jHnudyvRBF93GK/jA9NO7wpUd5emyeCq9NlIEI6dVQA # sk-ecdsa-sha2-nistp256@openssh.com > # CA key ssh-ed25519 SHA256:7Y4hOrk8kHvyTeXl+VU/zwD28qqCK9e5M35LTwe0OpM > serial: 1 > serial: 4 > serial: 90 > serial: 500-799 > serial: 999 > serial: 10000-20000 > id: revoked 795 > id: revoked 796 > id: revoked 797 > id: revoked 798
This has been committed and will be in openssh-8.3
closing resolved bugs as of 8.6p1 release
[spam removed]