fioctl keys ca revoke-device-ca
Revoke device CA, so that devices with client certificates it issued can no longer connect to your Factory
Synopsis
Revoke device CA, so that devices with client certificates it issued can no longer connect to your Factory.
When the online or local device CA is revoked: - It is no longer possible to register new devices with client certificates it had issued. - Existing devices with client certificates it issued can no longer connect to your Factory.
You may later re-add a revoked device CA using “keys ca update”, if you still keep its certificate stored somewhere. Once you do this, devices with client certificates issued by this device CA may connect to your Factory again.
fioctl keys ca revoke-device-ca <PKI Directory> [flags]
Examples
# Revoke a local device CA by providing a (default) file name inside your PKI directory:
fioctl keys ca revoke-device-ca /path/to/pki/dir --ca-file local-ca
# Revoke two local device CAs given a full path to their files:
fioctl keys ca revoke-device-ca /path/to/pki/dir --ca-file /path/to/ca1.pem --ca-file /path/to/ca2.crt
# Revoke two device CAs given their serial numbers:
fioctl keys ca revoke-device-ca /path/to/pki/dir --ca-serial <base-10-serial-1> --ca-file <base-10-serial-2>
# Revoke a local device CA, when your factory root CA private key is stored on an HSM:
fioctl keys ca revoke-device-ca /path/to/pki/dir --ca-file local-ca \
--hsm-module /path/to/pkcs11-module.so --hsm-pin 1234 --hsm-token-label <token-label-for-key>
# Show a generated CRL that would be sent to the server to revoke a local device CA, without actually revoking it.
fioctl keys ca revoke-device-ca /path/to/pki/dir --ca-file local-ca --dry-run --pretty
Options
--ca-file stringArray A file name of the device CA to revoke. Can be used multiple times to revoke several device CAs
--ca-serial stringArray A serial number (base 10) of the device CA to revoke. Can be used multiple times to revoke several device CAs
--dry-run Do not revoke the certificate, but instead show a generated CRL that will be uploaded to the server.
-h, --help help for revoke-device-ca
--hsm-module string Load a root CA key from a PKCS#11 compatible HSM using this module
--hsm-pin string The PKCS#11 PIN to log into the HSM
--hsm-token-label string The label of the HSM token containing the root CA key
--pretty Can be used with dry-run to show the generated CRL in a pretty format.
Options inherited from parent commands
-c, --config string config file (default is $HOME/.config/fioctl.yaml)
-f, --factory string Factory to list targets for
-t, --token string API token from https://app.foundries.io/settings/tokens/
-v, --verbose Print verbose logging
SEE ALSO
- fioctl keys ca - Manage Public Key Infrastructure for your device gateway