On 1/20/23 15:39, Rob Crittenden wrote:
Jochen Kellner via FreeIPA-users wrote:
Orion Poplawski via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Does anyone know of a script or way to get a list of certificates issued by the IPA CA that are about to expire?
I do have a small script for byobu that warns when certificates are about to expire and I verify refresh really works - that's only useful for small installations with a small number of certificates.
In short: get a time interval with date and feed the dates into "ipa cert-find". Have fun!
There is a --status option you can set to valid which should return only currently valid certs (e.g. no revoked, expired, etc).
rob
Thanks for the suggestions. I ended up going with the following because we have superseded certs that are not revoked. We're going to assume that the new certs are put into the proper locations. It's pretty pathological bash, but I still get a perverse thrill from that. ;)
On the revocation topic - is it possible to get the previous certs that are renewed by certmonger automatically revoked?
#!/bin/bash
now=$(date +%s) declare -A expires
KRB5_CLIENT_KTNAME=/etc/krb5.keytab \ ipa cert-find --status=VALID --sizelimit=0 | grep -E "(Subject|Not After):" | sed 's/^ *//' | ( while IFS=":" read key value do if [ "$key" = "Subject" ] then subj=${value# } else expires["$subj"]=${value# } fi done
for subj in "${!expires[@]}" do daysleft=$(( ($(date --date="${expires[$subj]}" +%s) - $now ) / 86400 )) [ $daysleft -le 100 ] && echo $subj expires at ${expires[$subj]} done )