fioctl keys ca disable-device-ca

Disable device CA, so that new devices with client certificates it issued can no longer be registered

Synopsis

Disable device CA, so that new devices with client certificates it issued can no longer be registered.

When the online or local device CA is disabled: - It is no longer possible to register new devices with client certificates it had issued. - Existing devices with client certificates it issued may continue to connect and use your Factory.

Usually, when the device CA is compromised, a user should: 1. Immediately disable a given device CA using “fioctl keys ca disable-device-ca <PKI Directory> –serial <CA Serial>”. 2. Inspect their devices with client certificates issued by that device CA, and remove compromised devices (see “fioctl devices list|delete”). 3. Create a new device CA using “fioctl keys ca add-device-ca <PKI Directory> –online-ca|–local-ca”. 4. Rotate a client certificate of legitimate devices to the certificate issued by a new device CA (see “fioctl devices config rotate-certs”). 5. Revoke a given device CA using “fioctl keys ca revoke-device-ca <PKI Directory> –serial <CA Serial>”.

fioctl keys ca disable-device-ca <PKI Directory> [flags]

Examples

# Disable two device CAs given their serial numbers:
fioctl keys ca disable-device-ca /path/to/pki/dir --ca-serial <base-10-serial-1> --ca-file <base-10-serial-2>

# Show a generated CRL that would be sent to the server to disable a local device CA, without actually disabling it.
fioctl keys ca disable-device-ca /path/to/pki/dir --ca-file local-ca --dry-run --pretty

# See "fioctl keys ca revoke-device-ca --help" for more examples; these two commands have a very similar syntax.

Options

    --ca-file stringArray      A file name of the device CA to disable. Can be used multiple times to disable several device CAs
    --ca-serial stringArray    A serial number (base 10) of the device CA to disable. Can be used multiple times to disable several device CAs
    --dry-run                  Do not disable the certificate, but instead show a generated CRL that will be uploaded to the server.
-h, --help                     help for disable-device-ca
    --hsm-module string        Load a root CA key from a PKCS#11 compatible HSM using this module
    --hsm-pin string           The PKCS#11 PIN to log into the HSM
    --hsm-token-label string   The label of the HSM token containing the root CA key
    --pretty                   Can be used with dry-run to show the generated CRL in a pretty format.

Options inherited from parent commands

-c, --config string    config file (default is $HOME/.config/fioctl.yaml)
-f, --factory string   Factory to list Targets for
-t, --token string     API token from https://app.foundries.io/settings/tokens/
-v, --verbose          Print verbose logging

SEE ALSO

• fioctl keys ca - Manage Public Key Infrastructure for your device gateway