To this time, I could not find this question on somewhere else. If there is one, please let me know.
One of my old employee got used to use a pem file we generated (Idk when) to login in our freebsd server without using credentials. He has left the company and we want to revoke that pem file in order to avoid him to login our server. Is there any way to disable/invalidate/revoke the pem file?
Thanks
You need to remove the user's public key from the user's authorized_keys file on the server. The default location for this is in the .ssh directory within the user's home directory. For example, for user bloggs the file will be /home/bloggs/.ssh/authorized_keys.
The file will contain the public keys that correspond to the private keys that user bloggs can use to login to your server. If bloggs has left the company, then simply delete all entries. Even better, delete his/her account.
If this is a shared account, you'll need to figure out which public keys in that file corresponds to the private keys bloggs still has access to, and remove just those. Remove the wrong ones and you'll lock out legitimate users. Fortunately, many entries in the authorized_keys file have a comment consisting of the user's details at the end of the key. This may help you weed out the keys you need to remove.
It depends what service he was logging in to. Most applications which make use of SSL have an optional RevokedKeys option which links to a file with a list of revoked keys. These files are generally "crl" files - and googling key revocation (service) should give you precise info.
The name of the option will vary per service - OpenVPN calls the parameter crl-verify, Apache client certs use SSLCARevocationPath, ngix uses ssl_crl
