Orion Poplawski wrote: > On 1/20/23 15:39, Rob Crittenden wrote: >> Jochen Kellner via FreeIPA-users wrote: >>> Orion Poplawski via FreeIPA-users <freeipa-users@lists.fedorahosted.org> >>> writes: >>> >>>> Does anyone know of a script or way to get a list of certificates issued by >>>> the IPA CA that are about to expire? >>> >>> I do have a small script for byobu that warns when certificates are >>> about to expire and I verify refresh really works - that's only useful >>> for small installations with a small number of certificates. >>> >>> In short: get a time interval with date and feed the dates into "ipa >>> cert-find". Have fun! >> >> There is a --status option you can set to valid which should return only >> currently valid certs (e.g. no revoked, expired, etc). >> >> rob > > Thanks for the suggestions. I ended up going with the following because we > have superseded certs that are not revoked. We're going to assume that the > new certs are put into the proper locations. It's pretty pathological bash, > but I still get a perverse thrill from that. ;) > > On the revocation topic - is it possible to get the previous certs that are > renewed by certmonger automatically revoked?
No automatic way. The assumption is they will expire soon so there is no reason for revocation. You'd have to revoke them manually. rob > > #!/bin/bash > > now=$(date +%s) > declare -A expires > > KRB5_CLIENT_KTNAME=/etc/krb5.keytab \ > ipa cert-find --status=VALID --sizelimit=0 | grep -E "(Subject|Not > After):" | > sed 's/^ *//' | ( while IFS=":" read key value > do > if [ "$key" = "Subject" ] > then > subj=${value# } > else > expires["$subj"]=${value# } > fi > done > > for subj in "${!expires[@]}" > do > daysleft=$(( ($(date --date="${expires[$subj]}" +%s) - $now ) / 86400 > )) > [ $daysleft -le 100 ] && echo $subj expires at ${expires[$subj]} > done ) > > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue