Re: [Pki-users] [Freeipa-users] Removal of obsolete certificates from o=ipaca

On Fri, Jul 28, 2017 at 04:03:44PM +0200, Adam Tkac via FreeIPA-users wrote: > Hello all, > > we are currently facing issue with huge number of outdated certificate entries > in o=ipaca LDAP subtree (many servers no longer exists, certificates already expired etc) > and we would like to remove them to decrease number of entries in LDAP and also > to speed-up initial replication of o=ipaca subtree (we have more than 700 000 > DNs in o=ipaca and deploy of new replica takes quite long). > > Does anyone tried to do something like this? I'm quite affraid if simple > ldapdelete of many DNs in o=ipaca subtree wouldn't break DogTag somehow. > > Do you have any ideas if something can break by removal of old (expired and also > non-expired) certificates from o=ipaca ? Thanks in advance for any advice. > > Regards, Adam > It is not a supported operation, but I cannot think of any problems that would arise from removing the certificate records under o=ipaca. But I am copying pki-users@ to get the attention of the rest of the Dogtag team in case there is something I am not thinking of. Strictly speaking, you should only remove expired certificates, even if a host has disappeared the validity period is a promise by a CA to maintain knowledge about a certificate for that whole period. (Note to Dogtag team: FreeIPA configures Dogtag to use sequential serial numbers. The usual range mechanism applies for CA clones). HTH, Fraser _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users