On Wed, Nov 11, 2015 at 03:41:34PM -0500, Rob Crittenden wrote: > Martin Kosek wrote: > >On 11/10/2015 10:59 PM, Fraser Tweedale wrote: > >>On Tue, Nov 10, 2015 at 07:02:42PM +0100, Natxo Asenjo wrote: > >>>hi, > >>> > >>>do we need to keep all the MasterCRL-YYYYMMDD-HHMMSS.der files or can we > >>>purge them on a regular basis (say, keep 60 days dump the rest)? > >>> > >>>$ ls -l | wc -l > >>>3621 > >>> > >>>this is in a server installed 3 years ago. > >>> > >>>-- > >>>Groeten, > >>>natxo > >>> > >>Hi Natxo, > >> > >>You can purge them. I am not sure why we keep the old ones around; > >>can someone fill me in? > > > >This was not touched loong ago. CCing Rob in case he has an idea, but if > >not - you are probably the best person to improve it :-) > > > > I don't know if I considered this at all back in the day but I agree it is > probably up to dogtag to prune this directory. The files to keep should be > based on the generation schedule. I can't think of any value an older CRL > might provide though perhaps that should be configurable too. > > rob > I filed tickets:
https://fedorahosted.org/pki/ticket/1696 https://fedorahosted.org/freeipa/ticket/5447 I do not think it is a high priority because it can be achieved with a simple cron job. But we should change the default behaviour eventually. Cheers, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project