[Freeipa-users] Re: Show expiring certificates issued by IPA CA

Wed, 25 Jan 2023 17:31:16 -0800 

Orion Poplawski wrote:
> On 1/20/23 15:39, Rob Crittenden wrote:
>> Jochen Kellner via FreeIPA-users wrote:
>>> Orion Poplawski via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
>>> writes:
>>>
>>>> Does anyone know of a script or way to get a list of certificates issued by
>>>> the IPA CA that are about to expire?
>>>
>>> I do have a small script for byobu that warns when certificates are
>>> about to expire and I verify refresh really works - that's only useful
>>> for small installations with a small number of certificates.
>>>
>>> In short: get a time interval with date and feed the dates into "ipa
>>> cert-find". Have fun!
>>
>> There is a --status option you can set to valid which should return only
>> currently valid certs (e.g. no revoked, expired, etc).
>>
>> rob
> 
> Thanks for the suggestions.  I ended up going with the following because we
> have superseded certs that are not revoked.  We're going to assume that the
> new certs are put into the proper locations.  It's pretty pathological bash,
> but I still get a perverse thrill from that. ;)
> 
> On the revocation topic - is it possible to get the previous certs that are
> renewed by certmonger automatically revoked?

No automatic way. The assumption is they will expire soon so there is no
reason for revocation. You'd have to revoke them manually.

rob

> 
> #!/bin/bash
> 
> now=$(date +%s)
> declare -A expires
> 
> KRB5_CLIENT_KTNAME=/etc/krb5.keytab \
>     ipa cert-find --status=VALID --sizelimit=0 | grep -E "(Subject|Not 
> After):" |
>         sed 's/^ *//' | ( while IFS=":" read key value
>     do
>         if [ "$key" = "Subject" ]
>         then
>             subj=${value# }
>         else
>             expires["$subj"]=${value# }
>         fi
>     done
> 
>     for subj in "${!expires[@]}"
>     do
>         daysleft=$(( ($(date --date="${expires[$subj]}" +%s) - $now ) / 86400 
> ))
>         [ $daysleft -le 100 ] && echo $subj expires at ${expires[$subj]}
>     done )
> 
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to