Hello, On Mon, Aug 16, 2021 at 11:54:57AM -0400, Rob Crittenden via FreeIPA-users wrote: > IPA Listmail wrote: > > On Mon, Aug 16, 2021 at 11:33 AM Rob Crittenden <rcrit...@redhat.com > > <mailto:rcrit...@redhat.com>> wrote: > > > > I don't know why resetting the crl number would affect the set of > > revoked certificates. > > > > > > Sorry, that was unclear. I meant that whatever means of shrinking, even > > the nuclear option of completely wiping the CRL and starting with a new > > empty CRL would be workable, though obviously not optimal. I would > > assume that such a drastic reset would likewise reset the CRL number and > > I was trying to say that would be okay for my purposes. > > Adding list back. > > I'm not sure that resetting the number would have the effect you suggest > as there would still be revoked certificates within their validity > period. It also likely breaks an RFC by using duplicate CRL numbers. > > rob
Rob is correct - the CRL is built from the records of expired certificates in the database. Yes you can regenerate the CRL on demand via the Dogtag web API on port 8443. You'll need to authenticate using the admin certificate. This operation is not exposed via FreeIPA interfaces and is not support in IPA context (but it is possible). Certificates will be removed from the CRL when their validity period has passed (i.e. after expiry). You can delete individual entries of expired certificates from the LDAP database, erasing Dogtag's memory of them. Then they will not be included in the CRL. This violates X.509, but it's a technical solution. Hope that helps, Fraser _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure