On Fri, 2018-05-11 at 15:47 +1000, Fraser Tweedale via FreeIPA-devel
wrote:
Hi all,
Ticket
https://pagure.io/freeipa/issue/7482 made me think about the
current revocation behaviour in `ipa cert-request`. For hosts and
services, all old certificates get revoked.
I wrote a blog post[1] outlining the problems with the current
behaviour, and some suggested changes. I'd like to know others'
thoughts. If we go ahead it would be something for a major release,
not a bugfix release. The actual amount of work is pretty small.
[1]
https://frasertweedale.github.io/blog-redhat/posts/2018-05-11-renewal-and...
I'd prefer no revocation by default, if people need two+ certs with the
same name they should be able to do so easily (for example for
clustered services that need to answer as a single machine).
It also fills a CRL list for no good reasons, we should be conservative
on CRL size, and if someone has a dynamic environment where hosts are
created and destroyed frequently the CRL could become enormous.
Simo.
--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc