[Pki-users] partition dogtag data in the ldap server?

Christina Fu cfu at redhat.com
Wed Jul 22 20:43:15 UTC 2015 

Thank you Dave for bringing this email to my attention...somehow it got 
slipped by me.

I just want to point out that if you do choose to "remove" certs from 
the internal ldap repository, please do not remove any certs that are 
revoked but not yet expired.  Doing so will cause your CRL generation to 
miss the revoked certificates, and render them valid when checked upon 
by clients.  It would be a big security violation of PKI.

regards,
Christina

On 07/22/2015 11:35 AM, Dave Sirrine wrote:
> Alexander,
>
> Can you define "hard to handle"? What version of Dogtag are you using? 
> Are you running into performance degradation? Unfortunately, it likely 
> won't be too easy to segregate this data. In dogtag 10.2 there should 
> be a scheduled job that regularly runs through and removes all expired 
> certs:
>
> jobsScheduler.impl.UnpublishExpiredJob.class=com.netscape.cms.jobs.UnpublishExpiredJob
> jobsScheduler.job.unpublishExpiredCerts.cron=0 0 * * 6
>
> Thanks in advance.
>
> -- Dave
>
> ------------------------------------------------------------------------
>
>     *From: *"Alexander Jung" <alexander.w.jung at gmail.com>
>     *To: *"pki-users at redhat.com" <Pki-users at redhat.com>
>     *Sent: *Thursday, July 9, 2015 7:44:17 AM
>     *Subject: *[Pki-users] partition dogtag data in the ldap server?
>
>     Hi,
>
>     we have a rather large dogtag install here and the ldap-info is
>     getting hard to handle (right now in the ~75Gb range).
>
>     Are there any recomended ways to partition the data ? I am
>     thinking of migrating all expired and revoked certificates to a
>     chainend ldap-instance and keep only the "valid" certificates data
>     in direct access to the CA instances.
>
>     The migration from the "valid" partition to the "expired"
>     partition will have to be done outside of dogtag and the
>     389ds-ldaps, probably by a script at night (it probably could be
>     integrated into the expire runs the dogtag does, although)
>
>     Has a thing like this been done yet? What were the experiences ?
>     What sould I look out for ?
>
>     Mit freundlichen Grüßen,
>
>     Alexander Jung
>
>     _______________________________________________
>     Pki-users mailing list
>     Pki-users at redhat.com
>     https://www.redhat.com/mailman/listinfo/pki-users
>
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150722/10daec53/attachment.htm>

More information about the Pki-users mailing list