Revocations.db and multiple storagenodes on the same server

What is the revocations.db good for? Is this documented somewhere? I tried to search in the forum and on Google with no success.

What happens when you create and sign a new identity on the same server? Will the existing revocations.db be overwritten or is the new info added to it?

What happens when I create and sign the identity on a different PC and move it to the server? What am I supposed to do with the new and different revocations.db?

1 Like

The identity program is a Certificate Authority (CA) management program for X509 certificates. It is possible to revoke an identity certificate using the certificate-authority revoke command.

Typically one would not do this sort of thing. And, for those watching, please do not attempt it at home…

The revocations.db is probably, I can’t be absolutely sure because it’s not my program, a Certificate Revocation List (CRL). And is probably used in the same way as any other typical CA CRL is used…

CRL use in Internet PKI.

1 Like

I have the same question, no answer yet…

1 Like

was wondering about this…

it seemed to be outside the identity folder so i left it behind after moving the identity files to a new storagenode…

during setup the storagenode seems to regenerate it from the identity files…
and place it in the same folder relative to the identity… or the storagenode folder i guess… else how would it find it again…

anyways found it an oddly placed file after identity generation, ofc since it’s a file that seems to generate itself… the i don’t really need to know more about it… i can just generally ignore it.

yet my meanderings ended me up here.

I’m with @anon27637763 on this one. It’s probably a CRL. The purpose of a CRL in this context isn’t entirely clear to me. My guess is this is for Storj to be able to revoke a signing certificate on their end in case it somehow ended up in the wrong hands. These tend to be an in case of emergency kind of thing. It’s not needed for the use of your identity either way. Pretty sure it’s only used while authorizing, but it might be used to prevent a third party using a leaked certificate to sign these identities.

1 Like

The revocations.db is used to track revocations of any peer identity certificates (storage nodes or satellites or other). If your storagenode identity certificate is compromised, you could sign a new certificate with your identity and revoke the old one (because hopefully you are keeping your identity’s ca.key somewhere secure, not on the node itself).

As far as I know, no one has needed to do this yet, but it’s important that this functionality exists.

2 Likes