[Freeipa-users] Re: Show expiring certificates issued by IPA CA

Wed, 25 Jan 2023 14:59:27 -0800 

On 1/20/23 15:39, Rob Crittenden wrote:
> Jochen Kellner via FreeIPA-users wrote:
>> Orion Poplawski via FreeIPA-users <[email protected]>
>> writes:
>>
>>> Does anyone know of a script or way to get a list of certificates issued by
>>> the IPA CA that are about to expire?
>>
>> I do have a small script for byobu that warns when certificates are
>> about to expire and I verify refresh really works - that's only useful
>> for small installations with a small number of certificates.
>>
>> In short: get a time interval with date and feed the dates into "ipa
>> cert-find". Have fun!
> 
> There is a --status option you can set to valid which should return only
> currently valid certs (e.g. no revoked, expired, etc).
> 
> rob

Thanks for the suggestions.  I ended up going with the following because we
have superseded certs that are not revoked.  We're going to assume that the
new certs are put into the proper locations.  It's pretty pathological bash,
but I still get a perverse thrill from that. ;)

On the revocation topic - is it possible to get the previous certs that are
renewed by certmonger automatically revoked?

#!/bin/bash

now=$(date +%s)
declare -A expires

KRB5_CLIENT_KTNAME=/etc/krb5.keytab \
    ipa cert-find --status=VALID --sizelimit=0 | grep -E "(Subject|Not After):" 
|
        sed 's/^ *//' | ( while IFS=":" read key value
    do
        if [ "$key" = "Subject" ]
        then
            subj=${value# }
        else
            expires["$subj"]=${value# }
        fi
    done

    for subj in "${!expires[@]}"
    do
        daysleft=$(( ($(date --date="${expires[$subj]}" +%s) - $now ) / 86400 ))
        [ $daysleft -le 100 ] && echo $subj expires at ${expires[$subj]}
    done )


-- 
Orion Poplawski
IT Systems Manager                         720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       [email protected]
Boulder, CO 80301                 https://www.nwra.com/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to