On ke, 11 maalis 2020, Fraser Tweedale via FreeIPA-users wrote:
> Makes me look at this a different way. Perhaps change the
certstore to
> only return valid CA certs. That way they are stored if anyone ever
> wants them but they won't get pulled down for ipa-certupdate or
> ipaclilent-install.
>
> Or to try the ipa-cacert-manage route, it was mostly the UI part for why
> I didn't do it. I wasn't sure if the best way would be to interactively
> show each cert and do a delete Y/N or what. Perhaps a delete with
> --expired-only to do the cleanup. I'm open to suggestions.
>
> rob
>
I think it's fine to change ipa-certupdate so it skips expired /
not-yet-valid certs.
IMO we should never automatically prune expired certs from the LDAP
trust store, so that if customer needs to do time travel to fix an
issue, the old CA certs will still be there and an ipa-certupdate
will "restore" them to the various certificate DBs.
And for the same reason, I'd be hesitant to offer a UI to prune
expired certs from the trust store.
I agree. So, we still need a ticket for ipa-certupdate to gain an
explicit option to ignore expired certs.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland