Orion Poplawski wrote:
> On 1/20/23 15:39, Rob Crittenden wrote:
>> Jochen Kellner via FreeIPA-users wrote:
>>> Orion Poplawski via FreeIPA-users <[email protected]>
>>> writes:
>>>
>>>> Does anyone know of a script or way to get a list of certificates issued by
>>>> the IPA CA that are about to expire?
>>>
>>> I do have a small script for byobu that warns when certificates are
>>> about to expire and I verify refresh really works - that's only useful
>>> for small installations with a small number of certificates.
>>>
>>> In short: get a time interval with date and feed the dates into "ipa
>>> cert-find". Have fun!
>>
>> There is a --status option you can set to valid which should return only
>> currently valid certs (e.g. no revoked, expired, etc).
>>
>> rob
>
> Thanks for the suggestions. I ended up going with the following because we
> have superseded certs that are not revoked. We're going to assume that the
> new certs are put into the proper locations. It's pretty pathological bash,
> but I still get a perverse thrill from that. ;)
>
> On the revocation topic - is it possible to get the previous certs that are
> renewed by certmonger automatically revoked?
No automatic way. The assumption is they will expire soon so there is no
reason for revocation. You'd have to revoke them manually.
rob
>
> #!/bin/bash
>
> now=$(date +%s)
> declare -A expires
>
> KRB5_CLIENT_KTNAME=/etc/krb5.keytab \
> ipa cert-find --status=VALID --sizelimit=0 | grep -E "(Subject|Not
> After):" |
> sed 's/^ *//' | ( while IFS=":" read key value
> do
> if [ "$key" = "Subject" ]
> then
> subj=${value# }
> else
> expires["$subj"]=${value# }
> fi
> done
>
> for subj in "${!expires[@]}"
> do
> daysleft=$(( ($(date --date="${expires[$subj]}" +%s) - $now ) / 86400
> ))
> [ $daysleft -le 100 ] && echo $subj expires at ${expires[$subj]}
> done )
>
>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
