Signing KRLs?

Peter Moody mindrot at
Tue Feb 5 07:25:29 AEDT 2019

On Mon, Feb 4, 2019 at 10:32 AM Daniel Schneller <ds at> wrote:
> Hi!
> While reading through PROTOCOL.krl I came across "5. KRL signature sections".
> If my understanding is correct - and that's basically what I would like to
> get knocked down for if appropriate ;) - this is a way for SSHDs to ensure
> they only accept KRLs signed by a trusted CA.
> However, I cannot seem to find a way to actually _sign_ a KRL with ssh-keygen?
> The aforementioned PROTOCOL.krl says that KRL_SECTION_SIGNATURE is optional in
> the file structure, so am I right to assume that ssh-keygen simply does not
> implement the signing of KRLs (yet)? Or do I need to use some other tool I have
> overlooked?

I haven't looked at the code, but the man page implies -s signs the krl.

     -s ca_key
             Certify (sign) a public key using the specified CA key.  Please
             see the CERTIFICATES section for details.

             When generating a KRL, -s specifies a path to a CA public key
             file used to revoke certificates directly by key ID or serial
             number.  See the KEY REVOCATION LISTS section for details.

> Thanks a lot in advance.
> Cheers,
> Daniel
> --
> Daniel Schneller
> ds at
> Twitter: @dschneller
> - Java, iOS, Mac, Windows, Linux and other insanities.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at

More information about the openssh-unix-dev mailing list