Natxo Asenjo wrote:

On Mon, Oct 3, 2016 at 5:32 PM, Rob Crittenden <
<>> wrote:

    usercertificate is a multi-valued LDAP attribute but IPA 3.0 only
    really operates on the "first" value returned (I didn't look at more
    recent versions). In this case it is the 267976717 cert. The other
    certs shown without details are for the other serial numbers that
    cert-find is reporting

    I can't see a way that this first usercertificate value isn't
    revoked and removed upon renewal so I can't quite figure out how you
    got into this state (and so easily as I understand it). I wasn't
    able to reproduce it myself. Do you have any idea how wide-spread
    this is in your infrastructure?

    I can see that once in this state that any "extra" certs would just
    be stuck there, never to be revoked.

This is happening all over the place.

I guess I will have to script this: retrieve the usercertificate
attribute of the host computers, get their 'not before/not after' and
serial number values, and revoke the oldest valid ones in case there is
more than one valid one. This should not be very hard.

I need to monitor the certmonger status as well, a nagios plugin should
do the trick.

You may want to open a bug against RHEL 6 on this as well.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to