PKI Certificate Revocation (CN / Serial)

Go to Automation :materialformkdocs: Go to Automation Hub Docs

View in GitLab

Description

This automation playbook revokes certificates from one or more Microsoft Active Directory Certificate Services (AD CS) Certification Authorities.
Revocation can be performed based on Common Name (CN), explicit Serial Number, or both.

The playbook supports bulk revocation, input normalization, and safe execution through a dedicated PKI service account. It leverages native certutil commands and provides detailed execution feedback for audit and incident response purposes.

Credentials

• sys_srvaapwin_pki
  PKI service account credentials retrieved securely from Passwordstate.
  This account must have sufficient rights to revoke certificates on the target CA(s).

• sys_ansible_windows Credential passed on via AAP

• sys_ps_pki Credential passed on via AAP. Used to retrieve the correct credential to execute the revocation

Target Hosts

• srvaapwinpr01.gentgrp.gent.be
  Execution host with network and security access to the AD CS infrastructure.

Input Variables

* At least one of CommonName or SerialNumber must be provided.

Common Name Normalization Logic

To reduce operator error and improve usability, the playbook automatically normalizes Common Names:

• If a CN does not end with .gentgrp.gent.be
  → an additional FQDN variant is automatically added.

Example

Input: server01

Processed CN list: server01 server01.gentgrp.gent.be

• Existing FQDNs are not modified
• Duplicate CNs are automatically removed
• Only the approved suffix is appended (hard-coded)

Output (Ansible facts)

Process Flow

1. Retrieve PKI Credentials
   Securely fetches the PKI service account credentials from Passwordstate.

2. Input Normalization

3. Parses CSV input for CNs and serial numbers
4. Automatically adds FQDN variants for non-qualified CNs

5. Deduplicates normalized CN list

6. Input Validation
   Ensures that at least one revocation source (CN or Serial Number) is supplied.

7. CA Processing Loop
   Iterates over one or more configured Certification Authorities.

8. CN-Based Revocation

9. Queries the CA database for issued certificates matching the CN
10. Extracts all matching serial numbers

11. Revokes each matching certificate

12. Serial-Based Revocation

13. Directly revokes explicitly supplied serial numbers

14. No database lookup required

15. Result Collection

16. Tracks per-certificate success or failure

17. Includes CA, CN, serial number, reason, and message

18. Final Reporting
    Outputs a revocation summary and sets the playbook exit code:

19. 0 → all revocations successful
20. 1 → one or more revocations failed

Revocation Reasons (RFC 5280)

Security Features

• Credential Protection
  Secrets retrieved dynamically from Passwordstate; no hard-coded credentials.

• Input Guardrails
  Controlled CN normalization prevents arbitrary domain injection.

• Auditable Output
  Detailed per-certificate revocation results for incident response and compliance.

Monitoring & Troubleshooting

The playbook provides clear execution feedback including:

• CA(s) being processed
• Normalized CN list
• Certificates found per CN
• Revocation success or failure per serial number
• Final revocation summary

Failures on individual certificates do not stop processing of remaining items.

Operational Use Cases

• Incident response (key compromise, malware, lateral movement)
• Decommissioning servers or services
• Bulk revocation during PKI security events

Dependencies

• Windows PowerShell
• CertUtil (AD CS tools installed)
• Network connectivity to CA
• Passwordstate integration
• Ansible Automation Platform (AAP)