How to revoke an asymmetric key
This page describes a procedure to revoke an asymmetric key in the internal S-Filer PKI and re-encrypt all files that were encrypted using that key.
Note
All asymmetric keys managed by S-Filer are used only internally within the solution. They are not exposed to external systems or users. As a result, the need to revoke a key is very rare and would typically only arise in exceptional circumstances such as a suspected key compromise.
Warning
This process is not yet supported in the S-Filer CLI. It must be performed using database commands as described below. A CLI command will be added in a future version.
This procedure involves changing data directly in the database and therefore involves some risks for data corruption. Do not attempt without first consulting OKIOK support and make sure that the steps are executed in a non-production environment before performing them in production.
Step 1: Identify the certificate to revoke
The first step is to find the certificate(s) associated with the recipient (community or user) whose key needs to be revoked.
For a community
select c.NAME as 'Community Name',
cert.Id as 'Certificate ID',
cert.CreationDate,
cert.ExpirationDate,
c.RECIPIENTNODEID
from Community c
inner join Certificate cert on cert.RecipientNodeId = c.RECIPIENTNODEID
where c.NAME = '[COMMUNITY_NAME]'
order by cert.CreationDate descReplace [COMMUNITY_NAME] with the name of the community whose key needs to be revoked.
For a user
select u.NAME as 'User Name',
cert.Id as 'Certificate ID',
cert.CreationDate,
cert.ExpirationDate,
u.RECIPIENTNODEID
from Users u
inner join Certificate cert on cert.RecipientNodeId = u.RECIPIENTNODEID
where u.NAME = '[USER_NAME]'
order by cert.CreationDate descReplace [USER_NAME] with the account name of the user whose key needs to be revoked.
Note the RECIPIENTNODEID value from the query result; it will be used in the next step.
Step 2: Expire the certificate
Set the creation and expiration dates to a date in the past to mark the certificate as expired. This will cause the file re-encryption job to treat all files encrypted under this key as needing re-encryption.
update Certificate set
CreationDate = '2001-01-01 00:00:00',
ExpirationDate = '2001-01-01 00:00:00'
where RECIPIENTNODEID = [RECIPIENTNODEID];Replace [RECIPIENTNODEID] with the value obtained in step 1.
Step 3: Generate a new key
Use the scheduler in the configurator to manually run the Key Renewal job. This will generate a new key pair for the recipient whose certificate was expired in the previous step.
Step 4: Re-encrypt files
Manually run the File re-encryption job. This job will re-encrypt all files that were encrypted using the revoked certificate with the new key generated in step 3.
This job can take a long time depending on the number and size of files to process. To monitor its progress, you can use this query:
For a community
SELECT c.id AS certificateId, c.expirationDate AS certificateExpirationDate,
COUNT(fv.FileVersionId) AS nbFiles
FROM Certificate c
INNER JOIN RecipientNode rn ON c.recipientNodeId = rn.nodeId
INNER JOIN FileVersion fv ON fv.recipientCertificateId = c.id
WHERE rn.recipientCommId IS NOT NULL
AND rn.recipientName = '[COMMUNITY_NAME]'
GROUP BY c.id, c.expirationDate;For a user
SELECT c.id AS certificateId, c.expirationDate AS certificateExpirationDate,
COUNT(fv.FileVersionId) AS nbFiles
FROM Certificate c
INNER JOIN RecipientNode rn ON c.recipientNodeId = rn.nodeId
INNER JOIN FileVersion fv ON fv.recipientCertificateId = c.id
WHERE rn.recipientUserId IS NOT NULL
AND rn.recipientName = '[USER_NAME]'
GROUP BY c.id, c.expirationDate;When the re-encryption is complete, the expired certificate row should show zero files and the new certificate should contain all the files.