fioctl keys ca revoke-device-ca

Revoke device CA, so that devices with client certificates it issued can no longer connect to your Factory

Synopsis

Revoke device CA, so that devices with client certificates it issued can no longer connect to your Factory.

When the online or local device CA is revoked: - It is no longer possible to register new devices with client certificates it had issued. - Existing devices with client certificates it issued can no longer connect to your Factory.

You may later re-add a revoked device CA using “keys ca update”, if you still keep its certificate stored somewhere. Once you do this, devices with client certificates issued by this device CA may connect to your Factory again.

fioctl keys ca revoke-device-ca <PKI Directory> [flags]

Examples

# Revoke a local device CA by providing a (default) file name inside your PKI directory:
fioctl keys ca revoke-device-ca /path/to/pki/dir --ca-file local-ca

# Revoke two local device CAs given a full path to their files:
fioctl keys ca revoke-device-ca /path/to/pki/dir --ca-file /path/to/ca1.pem --ca-file /path/to/ca2.crt

# Revoke two device CAs given their serial numbers:
fioctl keys ca revoke-device-ca /path/to/pki/dir --ca-serial <base-10-serial-1> --ca-file <base-10-serial-2>

# Revoke a local device CA, when your factory root CA private key is stored on an HSM:
fioctl keys ca revoke-device-ca /path/to/pki/dir --ca-file local-ca \
  --hsm-module /path/to/pkcs11-module.so --hsm-pin 1234 --hsm-token-label <token-label-for-key>

# Show a generated CRL that would be sent to the server to revoke a local device CA, without actually revoking it.
fioctl keys ca revoke-device-ca /path/to/pki/dir --ca-file local-ca --dry-run --pretty

Options

    --ca-file stringArray      A file name of the device CA to revoke. Can be used multiple times to revoke several device CAs
    --ca-serial stringArray    A serial number (base 10) of the device CA to revoke. Can be used multiple times to revoke several device CAs
    --dry-run                  Do not revoke the certificate, but instead show a generated CRL that will be uploaded to the server.
-h, --help                     help for revoke-device-ca
    --hsm-module string        Load a root CA key from a PKCS#11 compatible HSM using this module
    --hsm-pin string           The PKCS#11 PIN to log into the HSM
    --hsm-token-label string   The label of the HSM token containing the root CA key
    --pretty                   Can be used with dry-run to show the generated CRL in a pretty format.

Options inherited from parent commands

-c, --config string    config file (default is $HOME/.config/fioctl.yaml)
-f, --factory string   Factory to list targets for
-t, --token string     API token from https://app.foundries.io/settings/tokens/
-v, --verbose          Print verbose logging

SEE ALSO

fioctl keys ca - Manage Public Key Infrastructure for your device gateway