IPA cert request has no way to restrict a search to non-revoked certificates. We can search for revoked certificates that have a particular revocation reason or were revoked at a particular time, but there is no way to limit a search to certificates that are currently within their validity period and not revoked.
There should be a cert-find option to filter based on status, e.g. --status={VALID,REVOKED,EXPIRED,REVOKED_EXPIRED}.
cert-find
--status={VALID,REVOKED,EXPIRED,REVOKED_EXPIRED}
Metadata Update from @rcritten: - Issue priority set to: normal - Issue set to the milestone: FreeIPA 4.7 backlog
https://pagure.io/freeipa/issue/7850 was close as a duplicate of this ticket.
See also https://pagure.io/freeipa/issue/7835.
From what I can tell the dogtag interface accepts only a single value for status. It isn't possible to mix and match types, e.g.
pki ca-cert-find--status=REVOKED_EXPIRED --status=REVOKED
Will return only REVOKED_EXPIRED certs.
I filed a Dogtag ticket: https://pagure.io/dogtagpki/issue/3109. This ticket is blocked until that ticket is fixed.
Metadata Update from @ftweedal: - Custom field blockedby adjusted to https://pagure.io/dogtagpki/issue/3109
Login to comment on this ticket.