Jochen Kellner via FreeIPA-users wrote:
> Orion Poplawski via FreeIPA-users <[email protected]>
> writes:
>
>> Does anyone know of a script or way to get a list of certificates issued by
>> the IPA CA that are about to expire?
>
> I do have a small script for byobu that warns when certificates are
> about to expire and I verify refresh really works - that's only useful
> for small installations with a small number of certificates.
>
> In short: get a time interval with date and feed the dates into "ipa
> cert-find". Have fun!
There is a --status option you can set to valid which should return only
currently valid certs (e.g. no revoked, expired, etc).
rob
>
> #! /bin/bash
> #
> # Display the expiring certificates for the next few weeks
> # This is called from byobu every 20 minutes
> #
> now=$(date +"%Y-%m-%d")
> end=$(date -d "+27 days" +"%Y-%m-%d")
>
> count=0
> revoked=0
>
> # If we call the script manually with "--verbose", give a list
> # of the expiring certificates - display subject, expiry date and
> # serial number. Stop the script execution.
> if [ "x$1" = "x--verbose" ]; then
> env LC_ALL=C.UTF-8 KRB5_CLIENT_KTNAME=~/work/freeipa/jochen.keytab \
> ipa cert-find --validnotafter-from="$now" --validnotafter-to="$end" | \
> grep -E "(Subject|Not After|Serial number):"
> exit
> fi
>
> # Count the expiring and possibly revoked certificates
> eval "$(env LC_ALL=C.UTF-8 ipa cert-find --validnotafter-from="$now"
> --validnotafter-to="$end" | \
> awk '/certificates matched/ { count=$1 } /REVOKED/ { revoked++ } END {
> printf("count=%d\nrevoked=%d\n", count, revoked) }')"
>
> # If no cert is near expiry - display nothing
> if [ "$count" -ne 0 ]; then
> if [ "$count" -eq "$revoked" ]; then
> # all expiring certificates are also revoked - display green
> echo "#[fg=green]$count certs, $revoked revoked#[default]"
> else
> # there are expiring certificates which are possibly still active
> # Looking for a already renewed certificate seems to be
> # expensive performance-wise.
> echo "#[bg=red]$count certs, $revoked revoked#[default]"
> fi
> fi
>
>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
