[Pki-users] Revoking all certificates issued by Dogtag at once
Fraser Tweedale
ftweedal at redhat.com
Mon Oct 19 21:27:57 UTC 2015
On Mon, Oct 19, 2015 at 11:25:49AM -0400, Peter P. wrote:
> Hi Fraser,
>
> Thank you for your reply. I am trying to revoke certificates in bulk
> quantities because I'm using my instance of Dogtag for internal testing of
> an application that over time enrolls a large amount of certificates. I
> figured it be a good idea to clear them out periodically. If there is no
> issue with letting the issued certificates accumulate then I won't worry
> about needing to clear them out.
>
Revoking would not help in that regard anyway - revoked certificates
are still kept in database. Indeed, they must be, so that CRLs and
OCSP responses can contain the correct information about the
certificate.
Regards,
Fraser
> Thank you,
>
> Peter
>
> On Wed, Oct 14, 2015 at 8:56 PM, Fraser Tweedale <ftweedal at redhat.com>
> wrote:
>
> > On Wed, Oct 14, 2015 at 02:17:49PM -0400, Peter P. wrote:
> > > Hi,
> > >
> > > I have an instance of Dogtag installed on my Fedora 22 server and I
> > wanted
> > > to know if there is a way to revoke all the certificates ever issued by
> > my
> > > Dogtag CA in one shot.
> > >
> > The web interface does give you a way to revoke many certs at once.
> > Whether it can do "all" depends on how many certs you've issued :)
> > You could also script this using the CLI. But what is it you are
> > actually trying to achieve? Would it be sufficient to revoke the
> > issuer certificate instead?
> >
> > > Also, is there any bound/limit to the amount of valid certificates that
> > can
> > > be issued by an instance of Dogtag?
> > >
> > Conceptually no. In reality, you could run out of disk or, on
> > operations that involve many certificates (e.g. generate a CRL with
> > a huge number of non-expired revoked certs) then possibly hit memory
> > limits.
> >
> > Cheers,
> > Fraser
> >
> > > Thank you,
> > >
> > > Peter
> >
> > > _______________________________________________
> > > Pki-users mailing list
> > > Pki-users at redhat.com
> > > https://www.redhat.com/mailman/listinfo/pki-users
> >
> >
More information about the Pki-users
mailing list