I'm not sure this is the correct list to post in, but it seems to be more of a
PKI issue. I'm wondering if there is a clean/easy way to delete certificates
from IPA CA/PKI.
For a little context.. One of our systems has an IPA pair, which issues
certificates for internal use via dogtag PKI. Two weeks ago, we found that some
certificates were renewed without DNS SAN. After a few searches, I found this
thread  which helped us import the profile into LDAP and everything seemed
to go back to normal.
However, some servers in this system went mad a few days later, and certmonger
looped on renewal of some certificates.
In /var/log/messages, we can see these two lines repeating every few seconds :
Nov 8 14:22:14 srv-01 certmonger: Certificate in file "/etc/httpd/httpd.crt"
is no longer valid.
Nov 8 14:22:14 srv-01 certmonger: Certificate in file "/ etc/httpd/httpd.crt "
issued by CA and saved.
After restarting certmonger, the loop stopped.
The problem now is we have 54K certificates in IPA CA. Some hosts have up to
2400 certificates issued. The dirsrv file id2entry.db is 1.3GB. The backup
process needs about 8GB to run and produce 3,5GB backups (up from ~100MB).
Almost all ipa commands time out because of the huge number of certificates.
I would like to avoid revoking the certificates for two reasons :
* They are for an exclusively internal use, and I'm absolutely positive that
they have not been compromised,
* It's likely it wouldn't solve the backup size problem.
Is there another way than manually deleting them from LDAP ? I couldn't find
any command that would simply delete the certs.
If not, is it safe to delete them ?
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org