On Fri, 2018-05-11 at 15:47 +1000, Fraser Tweedale via FreeIPA-devel
made me think about the
current revocation behaviour in `ipa cert-request`. For hosts and
services, all old certificates get revoked.
I wrote a blog post outlining the problems with the current
behaviour, and some suggested changes. I'd like to know others'
thoughts. If we go ahead it would be something for a major release,
not a bugfix release. The actual amount of work is pretty small.
I'd prefer no revocation by default, if people need two+ certs with the
same name they should be able to do so easily (for example for
clustered services that need to answer as a single machine).
It also fills a CRL list for no good reasons, we should be conservative
on CRL size, and if someone has a dynamic environment where hosts are
created and destroyed frequently the CRL could become enormous.
Sr. Principal Software Engineer
Red Hat, Inc