[Pki-users] [Freeipa-users] Removal of obsolete certificates from o=ipaca
Christina Fu
cfu at redhat.com
Mon Jul 31 16:20:12 UTC 2017
I agree with what Fraser says. Non-expired certs (revoked or not)
should never be removed from the CA repository as that will affect the CRL
I believe someone asked about this before, and we also warned them about
that. Though I have no recollection how it worked out for them in the
end. You could do a backup before you try.
regards,
Christina
On 07/30/2017 10:14 PM, Fraser Tweedale wrote:
> On Fri, Jul 28, 2017 at 04:03:44PM +0200, Adam Tkac via FreeIPA-users wrote:
>> Hello all,
>>
>> we are currently facing issue with huge number of outdated certificate entries
>> in o=ipaca LDAP subtree (many servers no longer exists, certificates already expired etc)
>> and we would like to remove them to decrease number of entries in LDAP and also
>> to speed-up initial replication of o=ipaca subtree (we have more than 700 000
>> DNs in o=ipaca and deploy of new replica takes quite long).
>>
>> Does anyone tried to do something like this? I'm quite affraid if simple
>> ldapdelete of many DNs in o=ipaca subtree wouldn't break DogTag somehow.
>>
>> Do you have any ideas if something can break by removal of old (expired and also
>> non-expired) certificates from o=ipaca ? Thanks in advance for any advice.
>>
>> Regards, Adam
>>
> It is not a supported operation, but I cannot think of any problems
> that would arise from removing the certificate records under
> o=ipaca. But I am copying pki-users@ to get the attention of the
> rest of the Dogtag team in case there is something I am not thinking
> of.
>
> Strictly speaking, you should only remove expired certificates, even
> if a host has disappeared the validity period is a promise by a CA
> to maintain knowledge about a certificate for that whole period.
>
> (Note to Dogtag team: FreeIPA configures Dogtag to use sequential
> serial numbers. The usual range mechanism applies for CA clones).
>
> HTH,
> Fraser
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
More information about the Pki-users
mailing list