B.4. Generating a Revocation Certificate
Once you have created your keypair, you should create a revocation
certificate for your public key. If you forget your passphrase, or if it
has been compromised, you can publish this certificate to inform users
that your public key should no longer be used.
When you generate a revocation certificate, you are not revoking the
key you just created. Instead, you are giving yourself a safe way to
revoke your key from public use in case you
forget your passphrase, switch ISPs (addresses), or suffer a hard
drive crash. The revocation certificate can then be used to disqualify
your public key.
Your signature is valid to others who read your correspondence before
your key is revoked, and you are able to decrypt messages received prior
to its revocation. To generate a revocation certificate, use the
Note that if you omit the --output revoke.asc option
from the above, your revocation certificate is returned to the standard
output, which is your monitor screen. While you can copy and paste the
contents of the output into a file of your choice using a text editor,
it is probably easier to send the output to a file in your login
directory. That way, you can keep the certificate for use later, or move
it to a diskette and store it someplace safe.
The output looks similar to the following:
sec 1024D/823D25A9 2000-04-26 Your Name <[email protected]>
Create a revocation certificate for this key?
Press [Y] and [Enter] to create a revocation certificate for the
listed key. Next, you are asked to select the reason for revocation and
provide an optional description. After confirming the reason, enter the
passphrase you used to generate the key.
Once your revocation certificate has been created
(revoke.asc), it is located in your login
directory. You should copy the certificate to a diskette and store it in
a secure place. (If you do not know how to copy a file to a diskette in
Red Hat Enterprise Linux, see the Red Hat Enterprise Linux Step By Step Guide, Section 13.1 Using Diskettes).