7:39 a.m.
On Wed, May 19, 2021 at 11:54:03AM +0000, Gerrard Geldenhuis via FreeIPA-users wrote:
Hi
I am trying to remove old host certificates.
I generated a list using:
ipa cert-find --sizelimit 0
One of the certs are:
Issuing CA: ipa
Subject: CN=server.example.com,O=COMPANY.COM
Issuer: CN=Certificate Authority,O=COMPANY.COM
Not Before: Fri May 20 15:56:37 2016 UTC
Not After: Mon May 21 15:56:37 2018 UTC
Serial number: 268238888
Serial number (hex): 0xFFD002D
Status: REVOKED_EXPIRED
Revoked: True
I also did:
ipa cert-show 268238888
I then tried to remove the cert by using:
ipa host-remove-cert server.example.com
which then prompts me for the certificate, I enter the certificate
as I got it from ipa cert-show command, using the "Certificate: "
part.
But I get the error:
ipa: ERROR: server.examle.com: host not found
I also tried to remove the certificate from the UI, which shows
quite a lot more expired certificates for the host, but does not
give me any option to delete/remove the certificates
Am I missing something obvious with regards to the steps required
to remove old certificates? Am I not supposed to remove them?
Hi Gerrard,
`ipa host-remove-cert` removes certificates (userCertificate
attribute values) from IPA host principal objects.
`ipa cert-find` and `ipa cert-show` search/retrieve certificates
from the CA component, which are stored in the Dogtag LDAP database
(o=ipaca).
`host-remove-cert` only affects IPA host principals, not the CA
database. There is currently no supported way to prune expired
certificates from the CA's database. But it is on the roadmap.
It is generally safe to remove expired certificates from the Dogtag
database. But we don't provide that functionality (yet).
Hope that clears it up,
Fraser