Bug 1883477
| Summary: | [RFE] Automatic expired certificate purging | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Arya Rajendran <arajendr> | |
| Component: | pki-core | Assignee: | Endi Sukma Dewata <edewata> | |
| Status: | CLOSED ERRATA | QA Contact: | idm-cs-qe-bugs | |
| Severity: | unspecified | Docs Contact: | Jana Heves <jsvarova> | |
| Priority: | medium | |||
| Version: | 9.2 | CC: | aakkiang, ckelley, edewata, fcami, jonmoore, jsvarova, mescanfe, mharmsen, msauton, pasik, pcech, prisingh, rcritten, skhandel, tscherf, vmishra | |
| Target Milestone: | rc | Keywords: | FutureFeature, Triaged | |
| Target Release: | 9.2 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | pki-core-11.3.0-0.2.beta1.el9 | Doc Type: | Enhancement | |
| Doc Text: |
.Automatic purging of expired certificates
This update adds an automatic mechanism to purge expired certificates and request records from the database. You can enable this feature based on certain policies, such as search size limit, search time limit, and retention time.
To remove records safely, the CA needs to use the Random Certificate Serial Numbers v1 (RSNv3) to generate the certificate serial numbers and enrollment or renewal request IDs.
The CA provides a pruning job that removes the following:
* Certificates that have expired for some time.
* Completed requests corresponding to the expired certificates.
* Incomplete requests that have been idle for some time.
You need to schedule this job to run regularly to remove a certain number of records each time it runs. The remaining records will be removed in the subsequent runs. For large deployments, you can distribute the job among the servers in the cluster.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 2184523 (view as bug list) | Environment: | ||
| Last Closed: | 2023-05-09 07:43:41 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2184523 | |||
|
Description
Arya Rajendran
2020-09-29 11:00:37 UTC
Upstream PKI issue is now: https://github.com/dogtagpki/pki/issues/2307 Moving to Dogtag. As noted in the IPA upstream ticket: I do not think we should prune these directly from Dogtag's DB. Dogtag should have an interface to let IPA do it (if necessary). There could even be rules configured on Dogtag side that keep some certificates, for instance those that expired within the past year as asked by the reporter. Implemented in master branch (PKI 11.3): * https://github.com/dogtagpki/pki/commit/9e9b303327dd794d727ccb1e3649511e99413747 * https://github.com/dogtagpki/pki/commit/1d2410da32d505b6cfcd5bbbe3ac9cce1163859b Docs: * https://github.com/dogtagpki/pki/wiki/CA-Database-Pruning * https://github.com/dogtagpki/pki/wiki/Configuring-CA-Database-Pruning Fedora COPR build: https://copr.fedorainfracloud.org/coprs/g/pki/master/builds/ Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: pki-core security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:2293 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |