Orion Poplawski via FreeIPA-users <freeipa-users@lists.fedorahosted.org> writes:
> Does anyone know of a script or way to get a list of certificates issued by > the IPA CA that are about to expire? I do have a small script for byobu that warns when certificates are about to expire and I verify refresh really works - that's only useful for small installations with a small number of certificates. In short: get a time interval with date and feed the dates into "ipa cert-find". Have fun! #! /bin/bash # # Display the expiring certificates for the next few weeks # This is called from byobu every 20 minutes # now=$(date +"%Y-%m-%d") end=$(date -d "+27 days" +"%Y-%m-%d") count=0 revoked=0 # If we call the script manually with "--verbose", give a list # of the expiring certificates - display subject, expiry date and # serial number. Stop the script execution. if [ "x$1" = "x--verbose" ]; then env LC_ALL=C.UTF-8 KRB5_CLIENT_KTNAME=~/work/freeipa/jochen.keytab \ ipa cert-find --validnotafter-from="$now" --validnotafter-to="$end" | \ grep -E "(Subject|Not After|Serial number):" exit fi # Count the expiring and possibly revoked certificates eval "$(env LC_ALL=C.UTF-8 ipa cert-find --validnotafter-from="$now" --validnotafter-to="$end" | \ awk '/certificates matched/ { count=$1 } /REVOKED/ { revoked++ } END { printf("count=%d\nrevoked=%d\n", count, revoked) }')" # If no cert is near expiry - display nothing if [ "$count" -ne 0 ]; then if [ "$count" -eq "$revoked" ]; then # all expiring certificates are also revoked - display green echo "#[fg=green]$count certs, $revoked revoked#[default]" else # there are expiring certificates which are possibly still active # Looking for a already renewed certificate seems to be # expensive performance-wise. echo "#[bg=red]$count certs, $revoked revoked#[default]" fi fi -- This space is intentionally left blank. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue