When using short lived certs and regular issuance, the expired certs build up in the userCertfiicate attribute, causing entries to be unnecessarily large and additional burden on the receiver to process the entry and find a matching certificate.
userCertfiicate
There should be a command (or command options) to prune expired certs from the userCertificate attribute. Some ideas:
userCertificate
We already have a {user,host,service}-remove-cert command. Add a --prune option to automatically select all expired certs.
{user,host,service}-remove-cert
--prune
Add a {user,host,service}-prune-certs command
{user,host,service}-prune-certs
Possible command(s) or variants of the above for doing it on all principals at once?
See also Dogtag ticket for pruning expired certs: https://pagure.io/dogtagpki/issue/1750
I do not think we should prune these directly from Dogtag's DB. Dogtag should have an interface to let IPA do it. There could even be rules configured on Dogtag side that keep some certificates, for instance those that expired within the past year.
As a note the Dogtag ticket now lives at: https://github.com/dogtagpki/pki/issues/2307 There is a plugin that is able to prune expired certificates from the publishing directory at: https://github.com/dogtagpki/pki/blob/master/base/ca/src/com/netscape/cms/jobs/UnpublishExpiredJob.java
@fcami I agree. This ticket is just about pruning expired certs from IPA objects. Let Dogtag work out how they want to prune certs on their side, and expose to us an interface or configuration for it.
Login to comment on this ticket.