13 | | 10:55 <@jamie> in terms of key re-vocation, it should be two steps: |
14 | | 10:56 <@jamie> monkeysphere-host revoke-key |
15 | | 10:56 <@jamie> that revokes the server's ssh monkeysphere key |
16 | | 10:56 <@jamie> and then, to revoke the root@server.mayfirst.org's key: |
17 | | 10:57 <@jamie> gpg --list-secret-key to get the secret key id for the root user. |
18 | | 10:58 <@jamie> followed by gpg --edit-key <gpgid> |
19 | | 10:58 <@jamie> then: revkey |
20 | | 10:58 <@jamie> then save |
21 | | 10:58 <@jamie> then gpg --send-key <gpgid> |
| 17 | 0 attucks:~# monkeysphere-host revoke-key |
| 18 | This will generate a revocation certificate for key A0E7C6828C00CDDFEE82652EBF235CB9287D59CF |
| 19 | and dump the certificate to standard output. |
| 20 | |
| 21 | It can also directly publish the new revocation certificate |
| 22 | to the public keyservers via keys.mayfirst.org if you want it to. |
| 23 | |
| 24 | Publishing this certificate will IMMEDIATELY and PERMANENTLY revoke |
| 25 | your host key! |
| 26 | |
| 27 | Publish the certificate after generation? (y/n/Q) y |
| 28 | |
| 29 | sec 2048R/287D59CF 2011-12-08 ssh://attucks.mayfirst.org |
| 30 | |
| 31 | Create a revocation certificate for this key? (y/N) y |
| 32 | Please select the reason for the revocation: |
| 33 | 0 = No reason specified |
| 34 | 1 = Key has been compromised |
| 35 | 2 = Key is superseded |
| 36 | 3 = Key is no longer used |
| 37 | Q = Cancel |
| 38 | (Probably you want to select 1 here) |
| 39 | Your decision? 3 |
| 40 | Enter an optional description; end it with an empty line: |
| 41 | > attucks.mayfirst.org decomissioned |
| 42 | > |
| 43 | Reason for revocation: Key is no longer used |
| 44 | attucks.mayfirst.org decomissioned |
| 45 | Is this okay? (y/N) y |
| 46 | NOTE: This key is not protected! |
| 47 | Revocation certificate created. |
| 48 | |
| 49 | Please move it to a medium which you can hide away; if Mallory gets |
| 50 | access to this certificate he can use it to make your key unusable. |
| 51 | It is smart to print this certificate and store it away, just in case |
| 52 | your media become unreadable. But have some caution: The print system of |
| 53 | your machine might store the data and make it available to others! |
| 54 | -----BEGIN PGP PUBLIC KEY BLOCK----- |
| 55 | Version: GnuPG v1.4.10 (GNU/Linux) |
| 56 | Comment: A revocation certificate should follow |
| 57 | |
| 58 | iQFBBCABAgArBQJRjR3YJB0DYXR0dWNrcy5tYXlmaXJzdC5vcmcgZGVjb21pc3Np |
| 59 | b25lZAAKCRC/I1y5KH1Zz01jCACK8d9actSgsdQ8R4iOcPFvyRS397WrzA2NxWvd |
| 60 | +y9SJCFves68yMh+HmH3Xr2+IWm9wgwDPWVTWTbDiQYLKpb0Jx+wXwzeayZYHU/X |
| 61 | rg3THvyRhHMM2ccBV2h1eKa+e+hyd8sA2r3SLow37dgjKbb1ELfFgwtz6maGxJrE |
| 62 | okwl680iCvONxg6GnMy2PVVqgASFbeCABFTGd8MKnjWuVSkMV9O3nScjkokJJeQ5 |
| 63 | r0ESu8reYJyQfGc/5xz8fpAK16TjIX8ZLhyb6rsB16xniN3lg/XJbQvrSY9utLMq |
| 64 | viFBnbImJK/X9jXHKm59mCam1SjbCzOMni7nAHWo/hZO9tFv |
| 65 | =87HD |
| 66 | -----END PGP PUBLIC KEY BLOCK----- |
| 67 | |
| 68 | Really publish this cert to keys.mayfirst.org ? (Y/n) |
| 69 | gpg: sending key 287D59CF to hkp server keys.mayfirst.org |
| 70 | 0 attucks:~# |
| 71 | }}} |
| 72 | |
| 73 | |
| 74 | === Revoke the root@server.mayfirst.org's key: === |
| 75 | * '''Get the secret key id for the root user.''' |
| 76 | {{{ |
| 77 | gpg --list-secret-key to get the secret key id for the root user. |
| 78 | }}} |
| 79 | * '''Edit the key''' |
| 80 | {{{ |
| 81 | gpg --edit-key <gpgid> |
| 82 | }}} |
| 83 | * '''Apply the revocation and save''' |
| 84 | {{{ |
| 85 | gpg> revkey |
| 86 | gpg> save |
| 87 | }}} |
| 88 | * '''Send the revoked key to the key server''' |
| 89 | {{{ |
| 90 | gpg --send-key <gpgid> |