Alexander Bokovoy wrote:
On ke, 11 maalis 2020, Fraser Tweedale via FreeIPA-users wrote:
>> Makes me look at this a different way. Perhaps change the certstore to
>> only return valid CA certs. That way they are stored if anyone ever
>> wants them but they won't get pulled down for ipa-certupdate or
>> ipaclilent-install.
>>
>> Or to try the ipa-cacert-manage route, it was mostly the UI part for why
>> I didn't do it. I wasn't sure if the best way would be to interactively
>> show each cert and do a delete Y/N or what. Perhaps a delete with
>> --expired-only to do the cleanup. I'm open to suggestions.
>>
>> rob
>>
>
> I think it's fine to change ipa-certupdate so it skips expired /
> not-yet-valid certs.
>
> IMO we should never automatically prune expired certs from the LDAP
> trust store, so that if customer needs to do time travel to fix an
> issue, the old CA certs will still be there and an ipa-certupdate
> will "restore" them to the various certificate DBs.
>
> And for the same reason, I'd be hesitant to offer a UI to prune
> expired certs from the trust store.
I agree. So, we still need a ticket for ipa-certupdate to gain an
explicit option to ignore expired certs.
IMHO it should be the default for certstore.get_ca_certs(). I opened
https://pagure.io/freeipa/issue/8223
I don't know of a case where we would want to fetch non-valid CA
certificates, please update the ticket if you know of any.
rob