How to remove an SSH cert

Posted by Tim Kuehn on 09-Sep-2014 11:09

mkhashfile server.crt adds a cert to the OE cert repository.

How does one remove a cert from the repository?

OpenEdge Deployment - Forum
Posted by Tim Kuehn on 09-Sep-2014 12:42

Found the "certutil" utility which gave me a list of certs and a way to remove a single cert from the repository.

Posted by Michael Jacobs on 09-Sep-2014 13:48

Some basics that may help.

The OE cert repository ($DLC/certs directory) is the location where all ROOT and intermediate CA digital certificates stored and used by SSL clients to validate a server's identity.   The storage holds PEM encoded text files that are identified using a hashed file name and a ".0" file extension.   All other repository files without a ".0" file extension are ignored during the SSL client's validation of the server's digital certificate.   The hashed file name is the SSL library's way of indexing into the repository (directory) to find a specific digital certificate (file) by certificate 'subject' name field.  

What certutil does is help simplify the management of certificates without having to manually deal with the hashed file names and different binary and PEM encodings.   Still, at the lowest level certutil is doing file system add, rename, and delete of individual files.   (Hence the advice to simply delete the file)

All Replies

Posted by Michael Jacobs on 09-Sep-2014 11:38

Delete the file(s).

Posted by Tim Kuehn on 09-Sep-2014 11:40

Are you referring to the OE cert repository?

Posted by Tim Kuehn on 09-Sep-2014 12:42

Found the "certutil" utility which gave me a list of certs and a way to remove a single cert from the repository.

Posted by Michael Jacobs on 09-Sep-2014 13:48

Some basics that may help.

The OE cert repository ($DLC/certs directory) is the location where all ROOT and intermediate CA digital certificates stored and used by SSL clients to validate a server's identity.   The storage holds PEM encoded text files that are identified using a hashed file name and a ".0" file extension.   All other repository files without a ".0" file extension are ignored during the SSL client's validation of the server's digital certificate.   The hashed file name is the SSL library's way of indexing into the repository (directory) to find a specific digital certificate (file) by certificate 'subject' name field.  

What certutil does is help simplify the management of certificates without having to manually deal with the hashed file names and different binary and PEM encodings.   Still, at the lowest level certutil is doing file system add, rename, and delete of individual files.   (Hence the advice to simply delete the file)

This thread is closed