Configuring CA Database Pruning - dogtagpki/pki GitHub Wiki

Overview

This page describes the process to configure CA database pruning in PKI 11.3.

Prerequisite

Ensure that the certificate and request ID generators are configured to use RSNv3. See Configuring CA with Random Serial Numbers v3.

Configuration

The pruning configuration is stored in /var/lib/pki/pki-tomcat/conf/ca/CS.cfg. It is necessary to restart the CA after making configuration changes.

Enabling pruning job

By default the pruning job is disabled. To enable the pruning job:

$ pki-server ca-config-set jobsScheduler.job.pruning.enabled true

Configuring job owner

The pruning job can only be accessed and triggered by the job owner. By default the job is owned by members of the Administrators group.

To configure an additional owner:

$ pki-server ca-config-set jobsScheduler.job.pruning.owner <username>

Configuring certificate retention period

By default an expired certificate will be retained for 30 days before it will be pruned. When an expired certificate is pruned, the corresponding request will also be pruned. To configure certificate retention period:

$ pki-server ca-config-set jobsScheduler.job.pruning.certRetentionTime 30
$ pki-server ca-config-set jobsScheduler.job.pruning.certRetentionUnit day

Valid retention units: minute, hour, day, year.

Configuring certificate search constraints

By default the pruning job will look for at most 1000 certificates without time limit. To configure certificate search constraints:

$ pki-server ca-config-set jobsScheduler.job.pruning.certSearchSizeLimit 1000
$ pki-server ca-config-set jobsScheduler.job.pruning.certSearchTimeLimit 0

The time limit is expressed in seconds. A value of 0 indicates there is no time limit.

Configuring request retention period

By default an incomplete request will be retained for 30 days before it will be pruned. To configure request retention period:

$ pki-server ca-config-set jobsScheduler.job.pruning.requestRetentionTime 30
$ pki-server ca-config-set jobsScheduler.job.pruning.requestRetentionUnit day

Valid retention units: minute, hour, day, year.

Configuring request search constraints

By default the pruning job will look for at most 1000 requests without time limit. To configure request search constraints:

$ pki-server ca-config-set jobsScheduler.job.pruning.requestSearchSizeLimit 1000
$ pki-server ca-config-set jobsScheduler.job.pruning.requestSearchTimeLimit 0

The time limit is expressed in seconds. A value of 0 indicates there is no time limit.

Triggering Pruning

Manual Trigger

To trigger pruning job manually, ensure the owner’s certificate is installed on the client, then execute the following command:

$ pki -n <nickname> ca-job-start pruning

Automatic Trigger

To trigger pruning job automatically using the internal scheduler, add the following parameter, then restart the CA:

$ pki-server ca-config-set jobsScheduler.job.pruning.cron "0 0 1 * *"

In the above example the job is scheduled to run at 12:00am on the first day of each month.

Alternatively, the pruning job can also be triggered using an external scheduler (e.g. cron). Ensure the owner’s certificate is installed on the client, then configure the scheduler to execute the following command:

$ pki -n <nickname> ca-job-start pruning
⚠️ **GitHub.com Fallback** ⚠️