1:17 p.m.
Hi,
I have an instance of Dogtag installed on my Fedora 22 server and I wanted
to know if there is a way to revoke all the certificates ever issued by my
Dogtag CA in one shot.
Also, is there any bound/limit to the amount of valid certificates that can
be issued by an instance of Dogtag?
Thank you,
Peter
7:56 p.m.
On Wed, Oct 14, 2015 at 02:17:49PM -0400, Peter P. wrote:
Hi,
I have an instance of Dogtag installed on my Fedora 22 server and I wanted
to know if there is a way to revoke all the certificates ever issued by my
Dogtag CA in one shot.
The web interface does give you a way to revoke many certs at once.
Whether it can do "all" depends on how many certs you've issued :)
You could also script this using the CLI. But what is it you are
actually trying to achieve? Would it be sufficient to revoke the
issuer certificate instead?
Also, is there any bound/limit to the amount of valid certificates
that can
be issued by an instance of Dogtag?
Conceptually no. In reality, you could run out of disk or, on
operations that involve many certificates (e.g. generate a CRL with
a huge number of non-expired revoked certs) then possibly hit memory
limits.
Cheers,
Fraser
Thank you,
Peter
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
10:25 a.m.
Hi Fraser,
Thank you for your reply. I am trying to revoke certificates in bulk
quantities because I'm using my instance of Dogtag for internal testing of
an application that over time enrolls a large amount of certificates. I
figured it be a good idea to clear them out periodically. If there is no
issue with letting the issued certificates accumulate then I won't worry
about needing to clear them out.
Thank you,
Peter
On Wed, Oct 14, 2015 at 8:56 PM, Fraser Tweedale <ftweedal(a)redhat.com>
wrote:
On Wed, Oct 14, 2015 at 02:17:49PM -0400, Peter P. wrote:
> Hi,
>
> I have an instance of Dogtag installed on my Fedora 22 server and I
wanted
> to know if there is a way to revoke all the certificates ever issued by
my
> Dogtag CA in one shot.
>
The web interface does give you a way to revoke many certs at once.
Whether it can do "all" depends on how many certs you've issued :)
You could also script this using the CLI. But what is it you are
actually trying to achieve? Would it be sufficient to revoke the
issuer certificate instead?
> Also, is there any bound/limit to the amount of valid certificates that
can
> be issued by an instance of Dogtag?
>
Conceptually no. In reality, you could run out of disk or, on
operations that involve many certificates (e.g. generate a CRL with
a huge number of non-expired revoked certs) then possibly hit memory
limits.
Cheers,
Fraser
> Thank you,
>
> Peter
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
4:27 p.m.
On Mon, Oct 19, 2015 at 11:25:49AM -0400, Peter P. wrote:
Hi Fraser,
Thank you for your reply. I am trying to revoke certificates in bulk
quantities because I'm using my instance of Dogtag for internal testing of
an application that over time enrolls a large amount of certificates. I
figured it be a good idea to clear them out periodically. If there is no
issue with letting the issued certificates accumulate then I won't worry
about needing to clear them out.
Revoking would not help in that regard anyway - revoked certificates
are still kept in database. Indeed, they must be, so that CRLs and
OCSP responses can contain the correct information about the
certificate.
Regards,
Fraser
Thank you,
Peter
On Wed, Oct 14, 2015 at 8:56 PM, Fraser Tweedale <ftweedal(a)redhat.com>
wrote:
> On Wed, Oct 14, 2015 at 02:17:49PM -0400, Peter P. wrote:
> > Hi,
> >
> > I have an instance of Dogtag installed on my Fedora 22 server and I
> wanted
> > to know if there is a way to revoke all the certificates ever issued by
> my
> > Dogtag CA in one shot.
> >
> The web interface does give you a way to revoke many certs at once.
> Whether it can do "all" depends on how many certs you've issued :)
> You could also script this using the CLI. But what is it you are
> actually trying to achieve? Would it be sufficient to revoke the
> issuer certificate instead?
>
> > Also, is there any bound/limit to the amount of valid certificates that
> can
> > be issued by an instance of Dogtag?
> >
> Conceptually no. In reality, you could run out of disk or, on
> operations that involve many certificates (e.g. generate a CRL with
> a huge number of non-expired revoked certs) then possibly hit memory
> limits.
>
> Cheers,
> Fraser
>
> > Thank you,
> >
> > Peter
>
> > _______________________________________________
> > Pki-users mailing list
> > Pki-users(a)redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-users
>
>
3352
days inactive
3357
days old
3 comments
2 participants
participants (2)
-
Fraser Tweedale -
Peter P.