Hi guys.
I wanted to remove a cert:
$ ipa user-remove-cert ceph-mgr-dashboard
--certificate=MIIEjDCCAvSgAwIBAgIFE2IWcoQwD.......
but that cert, other certs remain: -> $ ipa cert-find ... Issuing CA: ipa Subject: CN=ceph-mgr-dashboard,O=MINE.PRIV Issuer: CN=Certificate Authority,O=MINE.PRIV Not Before: Mon Jul 28 16:13:37 2025 UTC Not After: Thu Jul 29 16:13:37 2027 UTC Serial number: 83250016898 Serial number (hex): 0x1362167282 Status: REVOKED Revoked: True
Issuing CA: ipa Subject: CN=ceph-mgr-dashboard,O=MINE.PRIV Issuer: CN=Certificate Authority,O=MINE.PRIV Not Before: Wed Jul 30 14:22:24 2025 UTC Not After: Sat Jul 31 14:22:24 2027 UTC Serial number: 83250016899 Serial number (hex): 0x1362167283 Status: VALID Revoked: False
Issuing CA: ipa Subject: CN=ceph-mgr-dashboard,O=MINE.PRIV Issuer: CN=Certificate Authority,O=MINE.PRIV Not Before: Wed Jul 30 14:34:34 2025 UTC Not After: Sat Jul 31 14:34:34 2027 UTC Serial number: 83250016900 Serial number (hex): 0x1362167284 Status: VALID Revoked: False ----------------------------- Number of entries returned 96
How does one remove these certs? If I remember correctly keys/requests are rendered externally and then IPA created certs - in case this matter.
many thanks, L.
lejeczek via FreeIPA-users wrote:
Hi guys.
I wanted to remove a cert:
$ ipa user-remove-cert ceph-mgr-dashboard
--certificate=MIIEjDCCAvSgAwIBAgIFE2IWcoQwD.......
but that cert, other certs remain: -> $ ipa cert-find ... Issuing CA: ipa Subject: CN=ceph-mgr-dashboard,O=MINE.PRIV Issuer: CN=Certificate Authority,O=MINE.PRIV Not Before: Mon Jul 28 16:13:37 2025 UTC Not After: Thu Jul 29 16:13:37 2027 UTC Serial number: 83250016898 Serial number (hex): 0x1362167282 Status: REVOKED Revoked: True
Issuing CA: ipa Subject: CN=ceph-mgr-dashboard,O=MINE.PRIV Issuer: CN=Certificate Authority,O=MINE.PRIV Not Before: Wed Jul 30 14:22:24 2025 UTC Not After: Sat Jul 31 14:22:24 2027 UTC Serial number: 83250016899 Serial number (hex): 0x1362167283 Status: VALID Revoked: False
Issuing CA: ipa Subject: CN=ceph-mgr-dashboard,O=MINE.PRIV Issuer: CN=Certificate Authority,O=MINE.PRIV Not Before: Wed Jul 30 14:34:34 2025 UTC Not After: Sat Jul 31 14:34:34 2027 UTC Serial number: 83250016900 Serial number (hex): 0x1362167284 Status: VALID Revoked: False
Number of entries returned 96
How does one remove these certs? If I remember correctly keys/requests are rendered externally and then IPA created certs - in case this matter.
The CA retains a copy because it issued it and it's the "authority".
Pruning, removing certificates from the CA db, is not recommended when PKI is configured with sequential serial numbers which was the IPA default for most of its lifespan. Changing mid-stream is not allowed using IPA tools but one can do it.
The risk in this case is issuing certificates with duplicate serial numbers.
rob
freeipa-users@lists.fedorahosted.org
-
lejeczek -
Rob Crittenden