Limitations of revocation via OIDC provisioner :

Limitations of revocation via OIDC provisioner Print

Created by: Hunter Hawke

Modified on: Tue, 31 Jan, 2023 at 10:49 AM

There are generally two ways of revoking a certificate: via certificate serial number or by passing certificate and key directly. The command would look something like:

# Serial
step ca revoke 107114196650443109012396058201150902110

# Cert/Key Pair
step ca revoke --cert my.crt --key my.key

However, OIDC provisioners can only use the latter of the two methods. If you try to use an OIDC provisioner to revoke a certificate by serial number, you will see something similar to the following error:

% step ca revoke 237819302016837325077515135179740029114
✔ Provisioner: authority-admin (OIDC) [client: 0cca8885-3c94-4b15-aac5-a44cd659e92b]
Your default web browser has been opened to visit:

https://auth.smallstep.com/oidc/.../...zaJ9IMYHm

token subject '9cd91b2a-4283-45eb-a325-956f0bae7d9e' and serial number '237819302016837325077515135179740029114' do not match

Passing the certificate and key show a successful revocation:

% step ca revoke --cert my.crt --key my.key
✔ CA: https://....ca.smallstep.com
Certificate with Serial Number 237819302016837325077515135179740029114 has been revoked.

If you would like to revoke a certificate by serial number, you will have to use a different provisioner type.

Hunter is the author of this solution article.

Did you find it helpful? Yes No

Limitations of revocation via OIDC provisioner Print

Related Articles