I've signed and issued some client certificates with my CA. I can now revoke them like so:
openssl ca -name ${CA_NAME} -revoke ${USERS_DIR}/${USERNAME}.crt -keyfile $SSL_PRIVATE_DIR/ca.key -cert $SSL_CERTS_DIR/ca.crt
However this requires access to the *.pems in the new_certs_dir folder (e.g. 01.pem, 02.pem). I can use these but it feels like the only information I need to revoke a client cert is its serial number. However the man page for the revoke flag says it has to be the crt/pem file:
-revoke filename
a filename containing a certificate to revoke.
I've also noticed I can manually edit the database file, changing the V (valid, presumably) to an R (revoked, presumably) and providing a timestamp for the second timestamp column, like so:
V 180408071318Z 01 unknown /C=AU/ST=NSW/O=Blah/OU=Blah/CN=CA
V 180408071319Z 02 unknown /C=AU/ST=NSW/O=Blah/OU=Blah/CN=CA
to
V 180408071318Z 01 unknown /C=AU/ST=NSW/O=Blah/OU=Blah/CN=CA
R 180408071319Z 180408081319Z 02 unknown /C=AU/ST=NSW/O=Blah/OU=Blah/CN=CA
If I then generate the crl after editing,
openssl ca -name ${CA_NAME} -gencrl -keyfile $SSL_PRIVATE_DIR/ca.key -cert $SSL_CERTS_DIR/ca.crt -out $SSL_PRIVATE_DIR/ca.crl -crldays 1095
the certificate corresponding to that serial is no longer valid. So it seems like all I needed was the serial, despite openssl not providing that option.
So my question is, is there a kosher way to revoke a certificate using only it's serial number? Or are there important reasons why this isn't done? Will I encounter problems if I manually edit the database file like above?
