====== Emergency Revocation ======

<WRAP round alert>
**SEV-1 Incident:** Immediate response on CA compromise! \\
**RTO:** 1 hour | **Decision makers:** CISO + PKI Lead
</WRAP>

Procedure for mass revocation of certificates on CA compromise.

----

===== When Emergency Revocation? =====

| Trigger | Example | Action |
|---------|---------|--------|
| **Root CA compromised** | Private key stolen | Rebuild entire PKI |
| **Intermediate compromised** | Signing key leaked | Sub-CA + all certificates |
| **Mass compromise** | Ransomware on CA server | All affected certificates |
| **Critical vulnerability** | Algorithm broken | All affected certificates |

----

===== Decision Tree =====

<mermaid>
flowchart TD
    A[Compromise detected] --> B{Which level?}
    B -->|Root CA| C[CRITICAL: Entire PKI]
    B -->|Intermediate| D[HIGH: Sub-hierarchy]
    B -->|End-entity| E[MEDIUM: Individual certificates]

    C --> F[1. All CAs offline]
    C --> G[2. Emergency CRL]
    C --> H[3. Build new PKI]

    D --> I[1. Revoke sub-CA]
    D --> J[2. Revoke all certs of sub-CA]
    D --> K[3. New intermediate]

    E --> L[1. Identify affected certs]
    E --> M[2. Update CRL]
    E --> N[3. Re-issue]

    style C fill:#ffebee
    style D fill:#fff3e0
</mermaid>

----

===== Phase 1: Triage (15 min) =====

<code bash>
#!/bin/bash
# emergency-triage.sh

echo "=== EMERGENCY TRIAGE ==="
echo "Time: $(date -Iseconds)"

# 1. Which CA is affected?
echo ""
echo "Affected CA:"
read -p "Root/Intermediate/End-Entity: " CA_LEVEL

# 2. Type of compromise
echo ""
echo "Type of compromise:"
echo "  1. Private key stolen"
echo "  2. Unauthorized certificate issuance"
echo "  3. System compromise"
echo "  4. Algorithm vulnerability"
read -p "Selection: " COMPROMISE_TYPE

# 3. Determine scope
echo ""
echo "Determining scope..."
case "$CA_LEVEL" in
    root|Root|ROOT)
        echo "CRITICAL: All certificates of entire PKI affected!"
        SCOPE=$(grep -c "^V" /etc/pki/CA/index.txt)
        ;;
    intermediate|Intermediate|INTERMEDIATE)
        read -p "Which intermediate CA? " INT_CA
        SCOPE=$(grep -c "$INT_CA" /etc/pki/CA/index.txt)
        ;;
    *)
        read -p "Number of affected certificates: " SCOPE
        ;;
esac

echo ""
echo "=== SUMMARY ==="
echo "CA Level: $CA_LEVEL"
echo "Compromise Type: $COMPROMISE_TYPE"
echo "Affected Certificates: $SCOPE"
echo ""

# Escalation
if [ "$CA_LEVEL" = "Root" ] || [ "$CA_LEVEL" = "root" ]; then
    echo "ESCALATION: Notify CISO and management!"
    echo "Activate communication plan!"
fi
</code>

----

===== Phase 2: Immediate Actions (30 min) =====

==== Take CA Offline ====

<code bash>
#!/bin/bash
# emergency-ca-offline.sh

echo "=== CA OFFLINE ==="

# 1. Stop CA services
systemctl stop pki-ca
systemctl stop ocsp-responder

# 2. Block network access
iptables -A INPUT -p tcp --dport 443 -j DROP
iptables -A INPUT -p tcp --dport 80 -j DROP

# 3. Lock signing keys (HSM)
# pkcs11-tool --module <hsm> --login --deactivate-key --id <key-id>

# 4. Forensic preservation
echo "Creating forensic image..."
dd if=/dev/sda of=/backup/forensic/ca-server-$(date +%Y%m%d%H%M%S).img bs=4M

echo "CA offline. No new certificates possible."
</code>

==== Generate Emergency CRL ====

<code bash>
#!/bin/bash
# emergency-crl.sh

echo "=== EMERGENCY CRL ==="

# Revoke all certificates of affected CA
# WARNING: This is destructive!

read -p "WARNING: Revoke all certificates? (REVOKE/abort): " confirm
[ "$confirm" != "REVOKE" ] && exit 1

# Backup current database
cp /etc/pki/CA/index.txt /etc/pki/CA/index.txt.pre-emergency-$(date +%Y%m%d%H%M%S)

# Revoke all valid certificates
grep "^V" /etc/pki/CA/index.txt | while IFS=$'\t' read status expiry revoke serial unknown subject; do
    echo "Revoking: $serial - $subject"
    openssl ca -config /etc/pki/CA/openssl.cnf \
        -revoke "/etc/pki/CA/newcerts/${serial}.pem" \
        -crl_reason keyCompromise \
        -batch
done

# Generate new CRL (short validity!)
openssl ca -config /etc/pki/CA/openssl.cnf \
    -gencrl \
    -crlhours 1 \
    -out /var/www/pki/emergency.crl

# Distribute CRL immediately
echo "Distributing emergency CRL..."
scp /var/www/pki/emergency.crl crl-server:/var/www/html/crl/
scp /var/www/pki/emergency.crl cdn-origin:/var/www/crl/

echo "Emergency CRL distributed."
echo "CRL URL: http://crl.example.com/crl/emergency.crl"
</code>

----

===== Phase 3: Communication =====

==== Internal Communication ====

<code>
EMERGENCY NOTIFICATION: PKI Compromise

To: IT Security, IT Operations, Management
From: PKI Team
Time: [TIMESTAMP]

STATUS: SEV-1 INCIDENT

SUMMARY:
The [Root/Intermediate] CA has been compromised.
All issued certificates are being revoked.

IMPACT:
- Affected certificates: [COUNT]
- Affected systems: [LIST]
- Estimated downtime: [HOURS]

IMMEDIATE ACTIONS:
1. CA taken offline
2. Emergency CRL generated
3. Communication to affected systems

NEXT STEPS:
1. Forensic analysis
2. Build new CA
3. Re-issue all certificates

CONTACT:
PKI Team: pki-emergency@example.com
Security: security@example.com
Hotline: +49 xxx xxxxx
</code>

==== External Communication (if needed) ====

<code>
SECURITY NOTICE

[ORGANIZATION] has identified that [DESCRIPTION].

Affected services have been taken offline as a precaution.
We are working on a solution and will inform you of updates.

For questions: security@example.com
</code>

----

===== Phase 4: Recovery =====

<code bash>
#!/bin/bash
# emergency-recovery.sh

echo "=== RECOVERY ==="

# 1. New Root CA (if compromised)
echo "Option 1: New Root CA"
echo "  -> Perform Key Ceremony"
echo "  -> See: key-ceremony.sh"

# 2. New Intermediate CA
echo ""
echo "Option 2: New Intermediate CA"
echo "  -> Get signed by Root"

# 3. Re-issue all certificates
echo ""
echo "Option 3: Re-issue certificates"

# Server list from CMDB/Inventory
SERVERS_FILE="/etc/pki/inventory/all-servers.txt"

if [ -f "$SERVERS_FILE" ]; then
    total=$(wc -l < "$SERVERS_FILE")
    echo "Re-issue for $total servers..."

    cat "$SERVERS_FILE" | while read server; do
        echo "Re-issue: $server"
        # Request CSR from server
        ssh "$server" "openssl req -new -key /etc/ssl/private/server.key -out /tmp/emergency.csr -subj \"/CN=$server\""

        # Fetch CSR
        scp "$server:/tmp/emergency.csr" "/tmp/reissue/${server}.csr"

        # Issue new certificate
        openssl ca -config /etc/pki/CA/openssl.cnf \
            -in "/tmp/reissue/${server}.csr" \
            -out "/tmp/reissue/${server}.pem" \
            -days 365 -batch

        # Deploy certificate
        scp "/tmp/reissue/${server}.pem" "$server:/etc/ssl/certs/server.pem"
        ssh "$server" "systemctl reload nginx || systemctl reload apache2"
    done
fi

echo "Recovery completed."
</code>

----

===== Post-Incident =====

| Phase | Task | Timeframe |
|-------|------|-----------|
| Post-Incident | Forensic report | +24h |
| Post-Incident | Root cause analysis | +48h |
| Post-Incident | Lessons learned | +1 week |
| Prevention | Improve controls | +2 weeks |
| Compliance | Notify authorities (if critical infrastructure) | Per regulation |

----

===== Checklist =====

| # | Checkpoint | Time | Done |
|---|------------|------|------|
| 1 | Triage completed | +15m | |
| 2 | CA offline | +20m | |
| 3 | Management informed | +25m | |
| 4 | Emergency CRL generated | +30m | |
| 5 | CRL distributed | +35m | |
| 6 | Internal communication | +40m | |
| 7 | External communication (if needed) | +45m | |
| 8 | Recovery plan activated | +60m | |

----

===== Related Documentation =====

  * [[.:ca-backup-restore|CA Backup/Restore]] - Restore backup
  * [[.:key-ceremony|Key Ceremony]] - Create new CA
  * [[..:tagesgeschaeft:zertifikat-widerrufen|Revoke Certificate]] - Single revocation

----

<< [[.:key-ceremony|<- Key Ceremony]] | [[..:start|-> Operator Scenarios]] >>

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//

{{tag>emergency revocation compromise incident operator}}