revoking ssh-cert.pub with serial revokes also younger certs

[Jakob Schürz]

Hi there!

What am I doing wrong?

I created a ssh-certificate

id_user_rsa-cert.pub with this dump:

id_user_rsa-cert.pub:
root at host # ssh-keygen -Lf id_user_rsa-cert.pub
        Type: ssh-rsa-cert-v01 at openssh.com user certificate
        Public key: RSA-CERT SHA256:kPitwgxblaUH4viBoFoozSPq9Pblubbedk
        Signing CA: ED25519 SHA256:8p2foobarQo3Tfcblubb5+I5cboeckvpnktiHdUs
        Key ID: "test at myhost.mydomain.example"
        Serial: 18
        Valid: from 2019-07-29T02:08:00 to 2020-07-28T02:09:43
        Principals:
                test
        Critical Options: (none)
        Extensions:
                permit-X11-forwarding
                permit-agent-forwarding
                permit-port-forwarding
                permit-pty
                permit-user-rc


Now i try to revoke this certificate with

ssh-keygen -s ../user_ca.pub -kf /etc/ssh/revoked_keys -z 17
id_user_rsa-cert.pub

The serial is 1 less the serial of my created certificate

Check, if my certificate is valid

root at host # ssh-keygen -Qf /etc/ssh/revoked_keys id_user_rsa-cert.pub
id_user_rsa-cert.pub (test on myhost - created by ansible (1564358942)):
REVOKED

Why? I thougt, when i use -s <Serialnumber> only this specific
certificate for a pubkey is revoked...

jakob

-- 
lore ipsum