Issue #9294: Enable the certificate pruning job in PKI - freeipa

freeipa

#9294 Enable the certificate pruning job in PKI

Closed: fixed a year ago by frenaud. Opened a year ago by rcritten.

Request for enhancement

As an administrator , I want to remove expired certificates so that I can maintain performance and the size of my certificate database.

With ACME generating short-lived certificates, expired certificates can quickly build up in the certificate database. https://pagure.io/dogtagpki/issue/1750 provides a job that can be scheduled or run manually to remove (prune) expired certificates.

rcritten commented a year ago

Design PR https://github.com/freeipa/freeipa/pull/6600

rcritten commented a year ago

master:

5d9f590 doc: Design for certificate pruning

frenaud commented a year ago

ipa-4-10:

51b1c22 doc: Design for certificate pruning

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2162677

a year ago

frenaud commented a year ago

master:

78298fd ipa-acme-manage: add certificate/request pruning management
7d1d91f doc: add the --run command for manual job execution

frenaud commented a year ago

ipa-4-10:

9246a8a ipa-acme-manage: add certificate/request pruning management
f10d1a0 doc: add the --run command for manual job execution

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

rcritten commented a year ago

master:

828f6e7 ipatests: tests for certificate pruning

rcritten commented a year ago

ipa-4-10:

0f77b35 ipatests: tests for certificate pruning

frenaud commented a year ago

master:

e76b219 ipatests: fix tests in TestACMEPrune

frenaud commented a year ago

ipa-4-10:

e7c642b ipatests: fix tests in TestACMEPrune

Metadata Update from @rcritten:
- Custom field changelog adjusted to Removing (pruning) expired certificates is supported when Random Serial Numbers are enabled. One cannot upgrade from sequential serial numbers to random. This feature is enabled using the ipa-acme-manage(1) command.

10 months ago

Metadata

Assignee

rcritten

Tags

None

Blocking

None

Depending on

None

Priority

important

Milestone

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=2162677

tester

None

changelog

Removing (pruning) expired certificates is supported when Random Serial Numbers are enabled. One cannot upgrade from sequential serial numbers to random. This feature is enabled using the ipa-acme-manage(1) command.

design

None

freeipa

Source Code

#9294 Enable the certificate pruning job in PKI Closed: fixed a year ago by frenaud. Opened a year ago by rcritten.

Request for enhancement

Metadata

#9294 Enable the certificate pruning job in PKI

Closed: fixed a year ago by frenaud. Opened a year ago by rcritten.