lejeczek via FreeIPA-users wrote: > Hi guys. > > I wanted to remove a cert: >> $ ipa user-remove-cert ceph-mgr-dashboard > --certificate=MIIEjDCCAvSgAwIBAgIFE2IWcoQwD....... > > but that cert, other certs remain: > -> $ ipa cert-find > ... > Issuing CA: ipa > Subject: CN=ceph-mgr-dashboard,O=MINE.PRIV > Issuer: CN=Certificate Authority,O=MINE.PRIV > Not Before: Mon Jul 28 16:13:37 2025 UTC > Not After: Thu Jul 29 16:13:37 2027 UTC > Serial number: 83250016898 > Serial number (hex): 0x1362167282 > Status: REVOKED > Revoked: True > > Issuing CA: ipa > Subject: CN=ceph-mgr-dashboard,O=MINE.PRIV > Issuer: CN=Certificate Authority,O=MINE.PRIV > Not Before: Wed Jul 30 14:22:24 2025 UTC > Not After: Sat Jul 31 14:22:24 2027 UTC > Serial number: 83250016899 > Serial number (hex): 0x1362167283 > Status: VALID > Revoked: False > > Issuing CA: ipa > Subject: CN=ceph-mgr-dashboard,O=MINE.PRIV > Issuer: CN=Certificate Authority,O=MINE.PRIV > Not Before: Wed Jul 30 14:34:34 2025 UTC > Not After: Sat Jul 31 14:34:34 2027 UTC > Serial number: 83250016900 > Serial number (hex): 0x1362167284 > Status: VALID > Revoked: False > ----------------------------- > Number of entries returned 96 > > How does one remove these certs? > If I remember correctly keys/requests are rendered externally and then > IPA created certs - in case this matter.
The CA retains a copy because it issued it and it's the "authority". Pruning, removing certificates from the CA db, is not recommended when PKI is configured with sequential serial numbers which was the IPA default for most of its lifespan. Changing mid-stream is not allowed using IPA tools but one can do it. The risk in this case is issuing certificates with duplicate serial numbers. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
