X509 CRL suspended certificates and openssl ca comand

From the OpenVPN 2 Cookbook:

The OpenSSL ca command generates its CRL by looking at the index.txt file. Each line that starts with an ' R ' is added to the CRL, after which the CRL is cryptographically signed using the CA private key.

To reinstate your revoked certificate, you could edit your CA database:

database       = $dir/index.txt        # index file.

1. Update the relevant entry in $dir/index.txt, by replacing R=revoked with V=valid.
2. Recreate the crl file: openssl ca -gencrl ***
3. What's left is the automation of the process (A script?)


There is no method to "unsuspend" a certificate in openssl on the CLI that I am aware of. And the following quote may give you a bit more guidance:

Martin Abalea, OpenSSL mailing list, 2008-10-13, Re: Put certificate on hold:

Reading the X.509 recommendation (downloadable for free from the ITU-T web site) tells us that a certificate can be "un-holded" by 2 means:
- either really revoke it, by changing the reason code while keeping the date
- or completely remove it from the CRL, as you guessed.

Again, I am not aware of any CLI commands for OpenSSL so your options may be:

  1. issue a new cert or
  2. restore a copy of the CA DB prior to the revocation and issue a new CRL.

    If you have other revoked certs, you want to make sure you jot them down if you restore your DB. Otherwise, you stated this is your private CA, I don't see why generating a new CERT is an issue.

    There is yet a "long shot" method you may be able to using Microsoft (don't know how to do something similar in OpenSSL).

  3. If you can import your cert into the MS CA, MS has an easy "right click" to unrevoke. See the following documentation on how to do this. Here is the CLI from that page:

    To unrevoke a certificate revoked with the reason code "Certificate Hold," at a command prompt on the CA, type:

    certutil -revoke CertificateSerialNumber unrevoke
    

Reading the X.509 recommendation tells us that a certificate can be "un-holded" by 2 means:

  • either really revoke it, by changing the reason code while keeping the date
  • or completely remove it from the CRL. If you plan to issue deltaCRLs, you MUST use the "removeFromCRL" reason code for such certificates, only for the deltaCRLs.