Skip to main content
Ask Question
Cluster Management
Asked a question 7 years ago

I've revoked a certificate, how can I remove it?

Where am I?

In Bright Computing, Inc. you can ask and answer questions and share your experience with others!

I've revoked a certificate, how can I remove it?

You can't.

Certificates that have been issued and/or revoked, cannot be removed with Bright Cluster Manager. This is because even if you would be able to remove them on the server side, they would still be usable if a client has a copy of the certificates. For this reason it is considered bad practice in a 'public key infrastructure' (PKI) to not have records of all certificates that have ever been issued. This is why Bright Cluster Manager does not allow removal of these records.

Considering the above, in some rare cases, if you really know what you are doing, and fully understand the security implications, it is possible to remove the revoked certificates from the CMDaemon database. Here is how (treat with care!):

bash> service cmd stop
bash> mysql -u$(grep DBUser /cm/local/apps/cmd/etc/cmd.conf | gawk '{print $3}' \
  | sed 's#\"##g') -p$(grep DBPass /cm/local/apps/cmd/etc/cmd.conf \
  | gawk '{print $3}' | sed 's#\"##g') cmdaemon
mysql> delete from Certificates where revoked = 1;
bash> service cmd start