Hello all, I'm not sure this is the correct list to post in, but it seems to be more of a PKI issue. I'm wondering if there is a clean/easy way to delete certificates from IPA CA/PKI.
For a little context.. One of our systems has an IPA pair, which issues certificates for internal use via dogtag PKI. Two weeks ago, we found that some certificates were renewed without DNS SAN. After a few searches, I found this thread [1] which helped us import the profile into LDAP and everything seemed to go back to normal. However, some servers in this system went mad a few days later, and certmonger looped on renewal of some certificates. In /var/log/messages, we can see these two lines repeating every few seconds : Nov 8 14:22:14 srv-01 certmonger: Certificate in file "/etc/httpd/httpd.crt" is no longer valid. Nov 8 14:22:14 srv-01 certmonger: Certificate in file "/ etc/httpd/httpd.crt " issued by CA and saved. After restarting certmonger, the loop stopped. The problem now is we have 54K certificates in IPA CA. Some hosts have up to 2400 certificates issued. The dirsrv file id2entry.db is 1.3GB. The backup process needs about 8GB to run and produce 3,5GB backups (up from ~100MB). Almost all ipa commands time out because of the huge number of certificates. I would like to avoid revoking the certificates for two reasons : * They are for an exclusively internal use, and I'm absolutely positive that they have not been compromised, * It's likely it wouldn't solve the backup size problem. Is there another way than manually deleting them from LDAP ? I couldn't find any command that would simply delete the certs. If not, is it safe to delete them ? Kind regards, François PICOT [1] https://www.redhat.com/archives/freeipa-users/2016-May/msg00191.html _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
