Re: [Freeipa-users] mastercrl files
On Wed, Nov 11, 2015 at 03:41:34PM -0500, Rob Crittenden wrote: > Martin Kosek wrote: > >On 11/10/2015 10:59 PM, Fraser Tweedale wrote: > >>On Tue, Nov 10, 2015 at 07:02:42PM +0100, Natxo Asenjo wrote: > >>>hi, > >>> > >>>do we need to keep all the MasterCRL-MMDD-HHMMSS.der files or can we > >>>purge them on a regular basis (say, keep 60 days dump the rest)? > >>> > >>>$ ls -l | wc -l > >>>3621 > >>> > >>>this is in a server installed 3 years ago. > >>> > >>>-- > >>>Groeten, > >>>natxo > >>> > >>Hi Natxo, > >> > >>You can purge them. I am not sure why we keep the old ones around; > >>can someone fill me in? > > > >This was not touched loong ago. CCing Rob in case he has an idea, but if > >not - you are probably the best person to improve it :-) > > > > I don't know if I considered this at all back in the day but I agree it is > probably up to dogtag to prune this directory. The files to keep should be > based on the generation schedule. I can't think of any value an older CRL > might provide though perhaps that should be configurable too. > > rob > I filed tickets: https://fedorahosted.org/pki/ticket/1696 https://fedorahosted.org/freeipa/ticket/5447 I do not think it is a high priority because it can be achieved with a simple cron job. But we should change the default behaviour eventually. Cheers, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] mastercrl files
Martin Kosek wrote: On 11/10/2015 10:59 PM, Fraser Tweedale wrote: On Tue, Nov 10, 2015 at 07:02:42PM +0100, Natxo Asenjo wrote: hi, do we need to keep all the MasterCRL-MMDD-HHMMSS.der files or can we purge them on a regular basis (say, keep 60 days dump the rest)? $ ls -l | wc -l 3621 this is in a server installed 3 years ago. -- Groeten, natxo Hi Natxo, You can purge them. I am not sure why we keep the old ones around; can someone fill me in? This was not touched loong ago. CCing Rob in case he has an idea, but if not - you are probably the best person to improve it :-) I don't know if I considered this at all back in the day but I agree it is probably up to dogtag to prune this directory. The files to keep should be based on the generation schedule. I can't think of any value an older CRL might provide though perhaps that should be configurable too. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] mastercrl files
On 11/10/2015 10:59 PM, Fraser Tweedale wrote: On Tue, Nov 10, 2015 at 07:02:42PM +0100, Natxo Asenjo wrote: hi, do we need to keep all the MasterCRL-MMDD-HHMMSS.der files or can we purge them on a regular basis (say, keep 60 days dump the rest)? $ ls -l | wc -l 3621 this is in a server installed 3 years ago. -- Groeten, natxo Hi Natxo, You can purge them. I am not sure why we keep the old ones around; can someone fill me in? This was not touched loong ago. CCing Rob in case he has an idea, but if not - you are probably the best person to improve it :-) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] mastercrl files
On Tue, Nov 10, 2015 at 07:02:42PM +0100, Natxo Asenjo wrote: > hi, > > do we need to keep all the MasterCRL-MMDD-HHMMSS.der files or can we > purge them on a regular basis (say, keep 60 days dump the rest)? > > $ ls -l | wc -l > 3621 > > this is in a server installed 3 years ago. > > -- > Groeten, > natxo > Hi Natxo, You can purge them. I am not sure why we keep the old ones around; can someone fill me in? Cheers, Fraser > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
