Revoking Trust

Revoking trust via truststore

The controller components rely on the public certificates in the respective truststore to establish trust with a given identity. Therefore, revoking trust from a client with a given public certificate amounts to removing its certificate from the respective truststore. To remove a given certificate from the truststore:

  • List the certificates in your truststore:

    keytool –list –v -keystore truststore [-storepass password]

  • Delete certificate from truststore:

    keytool –delete –alias cert-aliastruststore

Revoking trust via CRL

For the controller’s REST API, a CRL (Certificate Revocation List) might also be specified to allow blacklisting of certain clients. This is done by modifying the /opt/sdn/virgo/configuration/tomcat-server.xml file to include the CRL file location in the SSL connector:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" 
crlFile="location_of_CRL file"/> 

For the change to take effect, restart the controller.