Hello,
I did request and certificate suppression test and restart IPA stack. It works!
ldapdelete -x -D "cn=directory manager" -W "cn=87289,ou=ca,ou=requests,o=ipaca"
ldapdelete -x -D "cn=directory manager" -W
"cn=87273,ou=certificateRepository,ou=ca,o=ipaca"
I am going to generate the list of request and certificate entries that are
useless.
Hereafter a little procedure:
(cn (in ou=certificateRepository,ou=ca,o=ipaca) is equal to serialId decimal in
x509 certificate)
Backup IPA and save the ipaca tree (sudo ldapsearch -x -h localhost -D
"cn=directory manager" -W -b o=ipaca > /var/lib/ipa/backup/all)
Certificate tree purge (ou=certificateRepository,ou=ca,o=ipaca):
1. Identify entry that have to be excluded (non garbage certificate: used &
expired certificates)
- Get serial ID of certificate used: sudo openssl x509 -in xxx.crt -text
-noout | grep "Seria\|Not\|Sub"
2. Get garbage certificate list (used & expired certificates are excluded):
ldapsearch -x -D "cn=directory manager" -W -b
"ou=certificateRepository,ou=ca,o=ipaca" '(&(subjectName~=)(!(cn=))(certStatus=VALID))' dn | grep "cn=" | sed -e "s/dn:
//" -e "/\#/d" > cert_
Request tree purge (ou=ca,ou=requests,o=ipaca):
1. Identify entry that have to be excluded (non garbage certificate: used &
expired certificates)
- Get requestID of certificate used: sudo ldapsearch -x -D "cn=directory
manager" -W -b "cn=,ou=certificateRepository,ou=ca,o=ipaca" '(subjectName~=)'
"metaInfo"
- Get requestID of certificate expired: sudo ldapsearch -x -D "cn=directory
manager" -W -b "ou=certificateRepository,ou=ca,o=ipaca"
'(&(subjectName~=)(!(certStatus=VALID)))' "metaInfo"
2. Get garbage certificate request list (used & expired certificates are
excluded): sudo ldapsearch -x -D "cn=directory manager" -W -b
"ou=ca,ou=requests,o=ipaca"
'(&(extdata-req--005fsubject--005fname--002ecn=)(&(!(cn=))(!(cn=' dn |
grep "cn=" | sed -e "s/dn: //" -e "/\#/d" > req_
Check that number of request and certificate entry to purge are equal:
grep -c cn= cert_
grep -c cn= req_
(I hope this will help)
Thank you for your response,
- Original Message -----
From: "Fraser Tweedale"
To: "freeipa-users"
Cc: "David Goudet"
Sent: Thursday, November 8, 2018 2:28:03 AM
Subject: Re: [Freeipa-users] Removal & clean up certificates from o=ipaca
On Wed, Nov 07, 2018 at 04:29:36PM +0100, David Goudet via FreeIPA-users wrote:
> Hello all,
>
Hi David,
> I have to clean up lot of useless certificate in dirsrv database.
> Because of resubmit loop on Certmonger client, i have 99,9% of certificate in
> dirsrv database that are useless and not obsolete (expiration in 2020) (it
> represent ~85 000 certificates).
>
Did you already resolve the Certmonger resubmit loop?
> These useless certificates produce some issues on FreeIPA:
> - decrease FreeIPA performances on CLI and GUI
> - increase the LDAP size
> - increase size and time of FreeIPA backup
> ...
>
> Is it possible to purge these certificates in dirsrv database and how?
>
Yes. You can remove them manually.
> I found two branches in LDAP directory about these certificates:
>
> dn: cn=xxx,ou=ca,ou=requests,o=ipaca
> dn: cn=yyy,ou=certificateRepository,ou=ca,o=ipaca
>
The certificateRepository contains the issued certificates, the
ou=ca,ou=requests contains data about the certificate requests.
Each certificateRepository entry contains a reference to the request
that produced it.
You'll have to manually work out which certs you don't want, delete
its certificateRepository entry (cn is the serial number), and
delete the corresponding request entry.
> I can remove all requests and certificates entry from dirsrv
> database but how it is supported by PKI manager Dogtag (CRL,
> certificate generation, OCSP)?
>
CRLs and OCSP responses are generated using the data from the
certificateRepository. Forgetting about non-expired certificates is
not valid under X.509, but since you have an operational issue, just
choose carefully which ones you keep and which ones you delete.
Don't delete the entry for any certificates in active use, OR any
non-expired but revoked certificate where you want it to appear in
CRLs or want valid OCSP responses for that certificate.
Also, whatever certificate has the highest serial number, do not
delete it. When using sequential serial number (which is how Dogtag
gets configured by FreeIPA) upon startup Dogtag looks for the
highest serial number to work out what is the next serial number to
use. So keep the cert with the highest serial number otherwise
serial numbers will be re-used.
Cheers,
Fraser
--
Davi