How to Revoke an SSL/TLS Certificate

This page enumerates the steps we take to revoke a self-signed SSL/TLS certificate in a BigchainDB network. It can only be done by someone with access to the self-signed CA associated with the network’s managing organization.

Step 1: Revoke a Certificate

Since we used Easy-RSA version 3 to set up the CA, we use it to revoke certificates too.

Go to the following directory (associated with the self-signed CA): .../bdb-node-ca/easy-rsa-3.0.1/easyrsa3. You need to be aware of the file name used to import the certificate using the ./easyrsa import-req before. Run the following command to revoke a certificate:

./easyrsa revoke <filename>

This will update the CA database with the revocation details. The next step is to use the updated database to issue an up-to-date certificate revocation list (CRL).

Step 2: Generate a New CRL

Generate a new CRL for your infrastructure using:

./easyrsa gen-crl

The generated crl.pem file needs to be uploaded to your infrastructure to prevent the revoked certificate from being used again.

In particlar, the generated crl.pem file should be sent to all BigchainDB node operators in your BigchainDB network, so that they can update it in their MongoDB instance and their BigchainDB Server instance.