On Wed, Nov 07, 2018 at 04:29:36PM +0100, David Goudet via FreeIPA-users wrote:
Hello all,
Hi David,
I have to clean up lot of useless certificate in dirsrv database.
Because of resubmit loop on Certmonger client, i have 99,9% of certificate in dirsrv
database that are useless and not obsolete (expiration in 2020) (it represent ~85 000
certificates).
Did you already resolve the Certmonger resubmit loop?
These useless certificates produce some issues on FreeIPA:
- decrease FreeIPA performances on CLI and GUI
- increase the LDAP size
- increase size and time of FreeIPA backup
...
Is it possible to purge these certificates in dirsrv database and how?
Yes. You can remove them manually.
I found two branches in LDAP directory about these certificates:
dn: cn=xxx,ou=ca,ou=requests,o=ipaca
dn: cn=yyy,ou=certificateRepository,ou=ca,o=ipaca
The certificateRepository contains the issued certificates, the
ou=ca,ou=requests contains data about the certificate requests.
Each certificateRepository entry contains a reference to the request
that produced it.
You'll have to manually work out which certs you don't want, delete
its certificateRepository entry (cn is the serial number), and
delete the corresponding request entry.
I can remove all requests and certificates entry from dirsrv
database but how it is supported by PKI manager Dogtag (CRL,
certificate generation, OCSP)?
CRLs and OCSP responses are generated using the data from the
certificateRepository. Forgetting about non-expired certificates is
not valid under X.509, but since you have an operational issue, just
choose carefully which ones you keep and which ones you delete.
Don't delete the entry for any certificates in active use, OR any
non-expired but revoked certificate where you want it to appear in
CRLs or want valid OCSP responses for that certificate.
Also, whatever certificate has the highest serial number, do not
delete it. When using sequential serial number (which is how Dogtag
gets configured by FreeIPA) upon startup Dogtag looks for the
highest serial number to work out what is the next serial number to
use. So keep the cert with the highest serial number otherwise
serial numbers will be re-used.
Cheers,
Fraser