[Bug 3962] New: Add more verbose output when revoking keys or certificates via a spec file

Mon May 11 19:22:29 AEST 2026

https://bugzilla.mindrot.org/show_bug.cgi?id=3962

            Bug ID: 3962
           Summary: Add more verbose output when revoking keys or
                    certificates via a spec file
           Product: Portable OpenSSH
           Version: 9.6p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: u20230201 at gmail.com

When using a spec file to revoke certificates (via serial number and CA
key), ssh-keygen just outputs that it uses the spec file, but does not
output the entries actually added to the KRL.

For some automated workflows one might want to parse the output to log
the fact of revoking a certificate (or public key).

Example output:
% ssh-keygen -f user-CA.krl -k -s user-CA -u -z 5 user-KRL.spec
Revoking from user-KRL.spec

The user-KRL.spec contained:

serial: 40
serial: 41
serial: 99999
serial: 999999

Actually serial numbers 40 and 41 had been revoked in the KRL file
already, so it would be nice if ssh-keygen would output the entries
actually added to the KRL, maybe like:

Revoked serial 99999
Revoked serial 999999

-- 
You are receiving this mail because:
You are watching the assignee of the bug.