On 1/20/23 15:39, Rob Crittenden wrote:
Jochen Kellner via FreeIPA-users wrote:
> Orion Poplawski via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
> writes:
>
>> Does anyone know of a script or way to get a list of certificates issued by
>> the IPA CA that are about to expire?
>
> I do have a small script for byobu that warns when certificates are
> about to expire and I verify refresh really works - that's only useful
> for small installations with a small number of certificates.
>
> In short: get a time interval with date and feed the dates into "ipa
> cert-find". Have fun!
There is a --status option you can set to valid which should return only
currently valid certs (e.g. no revoked, expired, etc).
rob
Thanks for the suggestions. I ended up going with the following because we
have superseded certs that are not revoked. We're going to assume that the
new certs are put into the proper locations. It's pretty pathological bash,
but I still get a perverse thrill from that. ;)
On the revocation topic - is it possible to get the previous certs that are
renewed by certmonger automatically revoked?
#!/bin/bash
now=$(date +%s)
declare -A expires
KRB5_CLIENT_KTNAME=/etc/krb5.keytab \
ipa cert-find --status=VALID --sizelimit=0 | grep -E "(Subject|Not After):"
|
sed 's/^ *//' | ( while IFS=":" read key value
do
if [ "$key" = "Subject" ]
then
subj=${value# }
else
expires["$subj"]=${value# }
fi
done
for subj in "${!expires[@]}"
do
daysleft=$(( ($(date --date="${expires[$subj]}" +%s) - $now ) / 86400
))
[ $daysleft -le 100 ] && echo $subj expires at ${expires[$subj]}
done )
--
Orion Poplawski
IT Systems Manager 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301
https://www.nwra.com/