mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 07:33:27 -06:00
78298fd4e1
Configures PKI to remove expired certificates and non-resolved requests on a schedule. This is geared towards ACME which can generate a lot of certificates over a short period of time but is general purpose. It lives in ipa-acme-manage because that is the primary reason for including it. Random Serial Numbers v3 must be enabled for this to work. Enabling pruning enables the job scheduler within CS and sets the job user as the IPA RA user which has full rights to certificates and requests. Disabling pruning does not disable the job scheduler because the tool is stateless. Having the scheduler enabled should not be a problem. A restart of PKI is required to apply any changes. This tool forks out to pki-server which does direct writes to CS.cfg. It might be easier to use our own tooling for this but this makes the integration tighter so we pick up any improvements in PKI. The "cron" setting is quite limited, taking only integer values and *. It does not accept ranges, either - or /. No error checking is done in PKI when setting a value, only when attempting to use it, so some rudimentary validation is done. Fixes: https://pagure.io/freeipa/issue/9294 Signed-off-by: Rob Crittenden rcritten@redhat.com Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> |
||
|---|---|---|
| .. | ||
| advise | ||
| custodia | ||
| dnssec | ||
| install | ||
| plugins | ||
| secrets | ||
| __init__.py | ||
| dcerpc_common.py | ||
| dcerpc.py | ||
| dns_data_management.py | ||
| Makefile.am | ||
| masters.py | ||
| p11helper.py | ||
| rpcserver.py | ||
| servroles.py | ||
| setup.cfg | ||
| setup.py | ||
| topology.py | ||
| wsgi.py | ||