Orion Poplawski via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
writes:
> Does anyone know of a script or way to get a list of certificates issued by
> the IPA CA that are about to expire?
I do have a small script for byobu that warns when certificates are
about to expire and I verify refresh really works - that's only useful
for small installations with a small number of certificates.
In short: get a time interval with date and feed the dates into "ipa
cert-find". Have fun!
#! /bin/bash
#
# Display the expiring certificates for the next few weeks
# This is called from byobu every 20 minutes
#
now=$(date +"%Y-%m-%d")
end=$(date -d "+27 days" +"%Y-%m-%d")
count=0
revoked=0
# If we call the script manually with "--verbose", give a list
# of the expiring certificates - display subject, expiry date and
# serial number. Stop the script execution.
if [ "x$1" = "x--verbose" ]; then
env LC_ALL=C.UTF-8 KRB5_CLIENT_KTNAME=~/work/freeipa/jochen.keytab \
ipa cert-find --validnotafter-from="$now" --validnotafter-to="$end" | \
grep -E "(Subject|Not After|Serial number):"
exit
fi
# Count the expiring and possibly revoked certificates
eval "$(env LC_ALL=C.UTF-8 ipa cert-find --validnotafter-from="$now"
--validnotafter-to="$end" | \
awk '/certificates matched/ { count=$1 } /REVOKED/ { revoked++ } END {
printf("count=%d\nrevoked=%d\n", count, revoked) }')"
# If no cert is near expiry - display nothing
if [ "$count" -ne 0 ]; then
if [ "$count" -eq "$revoked" ]; then
# all expiring certificates are also revoked - display green
echo "#[fg=green]$count certs, $revoked revoked#[default]"
else
# there are expiring certificates which are possibly still active
# Looking for a already renewed certificate seems to be
# expensive performance-wise.
echo "#[bg=red]$count certs, $revoked revoked#[default]"
fi
fi
--
This space is intentionally left blank.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
