#7219 add command(s) for pruning expired certs from `userCertificate` attribute
Opened 2 years ago by ftweedal. Modified 4 months ago

When using short lived certs and regular issuance, the expired certs build up in the
userCertfiicate attribute, causing entries to be unnecessarily large and additional
burden on the receiver to process the entry and find a matching certificate.

There should be a command (or command options) to prune expired certs from the
userCertificate attribute. Some ideas:

  • We already have a {user,host,service}-remove-cert command. Add a --prune option to automatically select all expired certs.

  • Add a {user,host,service}-prune-certs command

  • Possible command(s) or variants of the above for doing it on all principals at once?

See also Dogtag ticket for pruning expired certs: https://pagure.io/dogtagpki/issue/1750

Login to comment on this ticket.