Hello all, 

I'm not sure this is the correct list to post in, but it seems to be more of a 
PKI issue. I'm wondering if there is a clean/easy way to delete certificates 
from IPA CA/PKI.  

For a little context.. One of our systems has an IPA pair, which issues 
certificates for internal use via dogtag PKI. Two weeks ago, we found that some 
certificates were renewed without DNS SAN. After a few searches, I found this 
thread [1] which helped us import the profile into LDAP and everything seemed 
to go back to normal.

However, some servers in this system went mad a few days later, and certmonger 
looped on renewal of some certificates. 
In /var/log/messages, we can see these two lines repeating every few seconds : 
Nov  8 14:22:14 srv-01 certmonger: Certificate in file "/etc/httpd/httpd.crt" 
is no longer valid.
Nov  8 14:22:14 srv-01 certmonger: Certificate in file "/ etc/httpd/httpd.crt " 
issued by CA and saved.

After restarting certmonger, the loop stopped. 

The problem now is we have 54K certificates in IPA CA. Some hosts have up to 
2400 certificates issued. The dirsrv file id2entry.db is 1.3GB. The backup 
process needs about 8GB to run and produce 3,5GB backups (up from ~100MB). 
Almost all ipa commands time out because of the huge number of certificates. 

I would like to avoid revoking the certificates for two reasons : 
* They are for an exclusively internal use, and I'm absolutely positive that 
they have not been compromised, 
* It's likely it wouldn't solve the backup size problem. 

Is there another way than manually deleting them from LDAP ? I couldn't find 
any command that would simply delete the certs. 
If not, is it safe to delete them ? 

Kind regards,
Fran├žois PICOT

[1] https://www.redhat.com/archives/freeipa-users/2016-May/msg00191.html
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to