autonomy cert check-revocation

Check whether a certificate serial is present in the CRL

Synopsis

Check whether a leaf certificate’s serial number appears in the local CRL.

Reads the CRL at –crl-file (or EDGE_CRL_FILE) and checks the serial of the certificate at –cert-file. The CA certificate at –ca-cert is used to verify the CRL signature before checking.

Exit behavior: exits 0 if the certificate is not revoked, non-zero if revoked.

Note: the CRL is read from disk and reflects the state at the time of the last ‘autonomy cert revoke’ call. No network service is contacted.

To enforce revocation at the transport layer, configure the control-plane server with CRLFile in TLSConfig — revoked clients are then rejected at TLS handshake time. Running control-plane servers now reload the CRL when the file changes on disk; to distribute the CRL across hosts, use ‘autonomy cert sync-crl’ or configure ‘autonomy-orchestrator serve –tls-crl-sync-url’.

Required RBAC permission: cert:read or cert:manage. Set AUTONOMY_RBAC_ENFORCEMENT=0 to disable enforcement (not recommended in production).

Usage

autonomy cert check-revocation [flags]

Examples

autonomy cert check-revocation \
    --cert-file /etc/edge/certs/node.crt \
    --ca-cert /etc/edge/certs/ca.crt \
    --crl-file /etc/edge/certs/revoked.crl

Options

      --ca-cert string     path to CA certificate PEM used to verify the CRL (required)
      --cert-file string   path to leaf certificate PEM to check (required)
      --crl-file string    path to CRL PEM (default: EDGE_CRL_FILE)

See also

• autonomy cert — Manage TLS leaf certificates for edge node identity