revoking ssh-cert.pub with serial revokes also younger certs

[Damien Miller]

On Fri, 13 Sep 2019, Jakob Schürz wrote:

> Hi there!
> 
> What am I doing wrong?
> 
> I created a ssh-certificate
> 
> id_user_rsa-cert.pub with this dump:
> 
> id_user_rsa-cert.pub:
> root at host # ssh-keygen -Lf id_user_rsa-cert.pub
>         Type: ssh-rsa-cert-v01 at openssh.com user certificate
>         Public key: RSA-CERT SHA256:kPitwgxblaUH4viBoFoozSPq9Pblubbedk
>         Signing CA: ED25519 SHA256:8p2foobarQo3Tfcblubb5+I5cboeckvpnktiHdUs
>         Key ID: "test at myhost.mydomain.example"
>         Serial: 18
>         Valid: from 2019-07-29T02:08:00 to 2020-07-28T02:09:43
>         Principals:
>                 test
>         Critical Options: (none)
>         Extensions:
>                 permit-X11-forwarding
>                 permit-agent-forwarding
>                 permit-port-forwarding
>                 permit-pty
>                 permit-user-rc
> 
> 
> Now i try to revoke this certificate with
> 
> ssh-keygen -s ../user_ca.pub -kf /etc/ssh/revoked_keys -z 17
> id_user_rsa-cert.pub
> 
> The serial is 1 less the serial of my created certificate
> 
> Check, if my certificate is valid
> 
> root at host # ssh-keygen -Qf /etc/ssh/revoked_keys id_user_rsa-cert.pub
> id_user_rsa-cert.pub (test on myhost - created by ansible (1564358942)):
> REVOKED
> 
> Why? I thougt, when i use -s <Serialnumber> only this specific
> certificate for a pubkey is revoked...

If you compile krl.c with -DDEBUG_KRL=1 then you can get some extra
debugging that might show what is going on. You'll probably need to
add -vvv to ssh-keygen's flags too.

-d