Alexander Bokovoy wrote: > On ke, 11 maalis 2020, Fraser Tweedale via FreeIPA-users wrote: >>> Makes me look at this a different way. Perhaps change the certstore to >>> only return valid CA certs. That way they are stored if anyone ever >>> wants them but they won't get pulled down for ipa-certupdate or >>> ipaclilent-install. >>> >>> Or to try the ipa-cacert-manage route, it was mostly the UI part for why >>> I didn't do it. I wasn't sure if the best way would be to interactively >>> show each cert and do a delete Y/N or what. Perhaps a delete with >>> --expired-only to do the cleanup. I'm open to suggestions. >>> >>> rob >>> >> >> I think it's fine to change ipa-certupdate so it skips expired / >> not-yet-valid certs. >> >> IMO we should never automatically prune expired certs from the LDAP >> trust store, so that if customer needs to do time travel to fix an >> issue, the old CA certs will still be there and an ipa-certupdate >> will "restore" them to the various certificate DBs. >> >> And for the same reason, I'd be hesitant to offer a UI to prune >> expired certs from the trust store. > > I agree. So, we still need a ticket for ipa-certupdate to gain an > explicit option to ignore expired certs. > >
IMHO it should be the default for certstore.get_ca_certs(). I opened https://pagure.io/freeipa/issue/8223 I don't know of a case where we would want to fetch non-valid CA certificates, please update the ticket if you know of any. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
