Re: [Pki-users] partition dogtag data in the ldap server?
2015-07-22 22:43 GMT+02:00 Christina Fu <cfu(a)redhat.com>:
Thank you Dave for bringing this email to my attention...somehow it
got
slipped by me.
I just want to point out that if you do choose to "remove" certs from the
internal ldap repository, please do not remove any certs that are revoked
but not yet expired. Doing so will cause your CRL generation to miss the
revoked certificates, and render them valid when checked upon by clients.
It would be a big security violation of PKI.
Yes, I am planing to move only the expired (or revoked-expired certs).
While we do not really use the CRL any more (OCSP is the thing nowadays
:-), we keep it for compatibility...
Mit freundlichen Grüßen,
Alexander Jung
Attachments:
- attachment.html (text/html — 1.2 KB)