On Wed, Nov 07, 2018 at 04:29:36PM +0100, David Goudet via FreeIPA-users wrote:
Hello all,
Hi David,
I have to clean up lot of useless certificate in dirsrv database. Because of resubmit loop on Certmonger client, i have 99,9% of certificate in dirsrv database that are useless and not obsolete (expiration in 2020) (it represent ~85 000 certificates).
Did you already resolve the Certmonger resubmit loop?
These useless certificates produce some issues on FreeIPA:
- decrease FreeIPA performances on CLI and GUI
- increase the LDAP size
- increase size and time of FreeIPA backup
...
Is it possible to purge these certificates in dirsrv database and how?
Yes. You can remove them manually.
I found two branches in LDAP directory about these certificates:
dn: cn=xxx,ou=ca,ou=requests,o=ipaca dn: cn=yyy,ou=certificateRepository,ou=ca,o=ipaca
The certificateRepository contains the issued certificates, the ou=ca,ou=requests contains data about the certificate requests. Each certificateRepository entry contains a reference to the request that produced it.
You'll have to manually work out which certs you don't want, delete its certificateRepository entry (cn is the serial number), and delete the corresponding request entry.
I can remove all requests and certificates entry from dirsrv database but how it is supported by PKI manager Dogtag (CRL, certificate generation, OCSP)?
CRLs and OCSP responses are generated using the data from the certificateRepository. Forgetting about non-expired certificates is not valid under X.509, but since you have an operational issue, just choose carefully which ones you keep and which ones you delete.
Don't delete the entry for any certificates in active use, OR any non-expired but revoked certificate where you want it to appear in CRLs or want valid OCSP responses for that certificate.
Also, whatever certificate has the highest serial number, do not delete it. When using sequential serial number (which is how Dogtag gets configured by FreeIPA) upon startup Dogtag looks for the highest serial number to work out what is the next serial number to use. So keep the cert with the highest serial number otherwise serial numbers will be re-used.
Cheers, Fraser