[Freeipa-users] mastercrl files
Fraser Tweedale
ftweedal at redhat.com
Thu Nov 12 00:14:42 UTC 2015
On Wed, Nov 11, 2015 at 03:41:34PM -0500, Rob Crittenden wrote:
> Martin Kosek wrote:
> >On 11/10/2015 10:59 PM, Fraser Tweedale wrote:
> >>On Tue, Nov 10, 2015 at 07:02:42PM +0100, Natxo Asenjo wrote:
> >>>hi,
> >>>
> >>>do we need to keep all the MasterCRL-YYYYMMDD-HHMMSS.der files or can we
> >>>purge them on a regular basis (say, keep 60 days dump the rest)?
> >>>
> >>>$ ls -l | wc -l
> >>>3621
> >>>
> >>>this is in a server installed 3 years ago.
> >>>
> >>>--
> >>>Groeten,
> >>>natxo
> >>>
> >>Hi Natxo,
> >>
> >>You can purge them. I am not sure why we keep the old ones around;
> >>can someone fill me in?
> >
> >This was not touched loong ago. CCing Rob in case he has an idea, but if
> >not - you are probably the best person to improve it :-)
> >
>
> I don't know if I considered this at all back in the day but I agree it is
> probably up to dogtag to prune this directory. The files to keep should be
> based on the generation schedule. I can't think of any value an older CRL
> might provide though perhaps that should be configurable too.
>
> rob
>
I filed tickets:
https://fedorahosted.org/pki/ticket/1696
https://fedorahosted.org/freeipa/ticket/5447
I do not think it is a high priority because it can be achieved with
a simple cron job. But we should change the default behaviour
eventually.
Cheers,
Fraser
More information about the Freeipa-users
mailing list