On Mon, Oct 3, 2016 at 5:32 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> usercertificate is a multi-valued LDAP attribute but IPA 3.0 only really
> operates on the "first" value returned (I didn't look at more recent
> versions). In this case it is the 267976717 cert. The other certs shown
> without details are for the other serial numbers that cert-find is reporting

> I can't see a way that this first usercertificate value isn't revoked and
> removed upon renewal so I can't quite figure out how you got into this
> state (and so easily as I understand it). I wasn't able to reproduce it
> myself. Do you have any idea how wide-spread this is in your infrastructure?
> I can see that once in this state that any "extra" certs would just be
> stuck there, never to be revoked.

This is happening all over the place.

I guess I will have to script this: retrieve the usercertificate attribute
of the host computers, get their 'not before/not after' and serial number
values, and revoke the oldest valid ones in case there is more than one
valid one. This should not be very hard.

I need to monitor the certmonger status as well, a nagios plugin should do
the trick.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to