2015-07-22 20:35 GMT+02:00 Dave Sirrine <dsirrine@redhat.com>:

Alexander,

Can you define "hard to handle"?

Hard to handle is a stock of over 4 Million certificates, of which about 10% are valid ones. The ldap database is with the indexes in the 100Gb range, LDIF Backups take more than three hours and might fail if too many changes occur during the night time we run them.

What version of Dogtag are you using?

10.1. something (= the version that came out in February this year, but the history in that ldap is migrated since around 2007)

Are you running into performance degradation?

Yes, we had a perfomenace degradation , but that was a lookup error in the code (I really have to get around to send our fixes here back to you)

Unfortunately, it likely won't be too easy to segregate this data. In dogtag 10.2 there should be a scheduled job that regularly runs through and removes all expired certs:

jobsScheduler.impl.UnpublishExpiredJob.class=com.netscape.cms.jobs.UnpublishExpiredJob
jobsScheduler.job.unpublishExpiredCerts.cron=0 0 * * 6

Thanks for the pointer, I'll try to attach to this one.

Mit freundlichen Grüßen,

Alexander Jung