I agree with what Fraser says. Non-expired certs (revoked or not) should never be removed from the CA repository as that will affect the CRL

I believe someone asked about this before, and we also warned them about that. Though I have no recollection how it worked out for them in the end. You could do a backup before you try.



On 07/30/2017 10:14 PM, Fraser Tweedale wrote:
On Fri, Jul 28, 2017 at 04:03:44PM +0200, Adam Tkac via FreeIPA-users wrote:
Hello all,

we are currently facing issue with huge number of outdated certificate entries
in o=ipaca LDAP subtree (many servers no longer exists, certificates already 
expired etc)
and we would like to remove them to decrease number of entries in LDAP and also
to speed-up initial replication of o=ipaca subtree (we have more than 700 000
DNs in o=ipaca and deploy of new replica takes quite long).

Does anyone tried to do something like this? I'm quite affraid if simple
ldapdelete of many DNs in o=ipaca subtree wouldn't break DogTag somehow.

Do you have any ideas if something can break by removal of old (expired and also
non-expired) certificates from o=ipaca ? Thanks in advance for any advice.

Regards, Adam

It is not a supported operation, but I cannot think of any problems
that would arise from removing the certificate records under
o=ipaca.  But I am copying pki-users@ to get the attention of the
rest of the Dogtag team in case there is something I am not thinking

Strictly speaking, you should only remove expired certificates, even
if a host has disappeared the validity period is a promise by a CA
to maintain knowledge about a certificate for that whole period.

(Note to Dogtag team: FreeIPA configures Dogtag to use sequential
serial numbers.  The usual range mechanism applies for CA clones).


Pki-users mailing list
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to