autonomy cert revoke

Revoke a certificate and update the local CRL

Synopsis

Revoke a TLS certificate for the given node identity.

The command updates a locally managed CRL file that edge transports can load via EDGE_CRL_FILE. Revocation is performed offline: no network service is contacted, and the CRL is signed with the provided CA certificate/key pair.

Audit trail: every successful revoke emits cert.revoked.

Required RBAC permission: cert:manage. Set AUTONOMY_RBAC_ENFORCEMENT=0 to disable enforcement (not recommended in production).

Usage

autonomy cert revoke [flags]

Examples

autonomy cert revoke \
    --identity node-alpha.edge.io \
    --cert-file /etc/edge/certs/node.crt \
    --ca-cert /etc/edge/certs/ca.crt \
    --ca-key /etc/edge/certs/ca.key \
    --crl-file /etc/edge/certs/revoked.crl \
    --reason key-compromise

Options

      --ca-cert string          path to CA certificate PEM used to sign the CRL (required)
      --ca-key string           path to CA private key PEM used to sign the CRL (required)
      --cert-file string        path to the leaf certificate PEM being revoked (required)
      --crl-file string         path to write the updated CRL PEM (default: EDGE_CRL_FILE)
      --identity string         node identity to revoke (required)
      --next-update-hours int   CRL validity window in hours before the next CRL must be issued (default 168)
      --reason string           revocation reason (e.g. key-compromise, ca-compromise, superseded, cessation-of-operation)

See also

• autonomy cert — Manage TLS leaf certificates for edge node identity