Configuring CA Database Pruning - dogtagpki/pki GitHub Wiki
This page describes the process to configure CA database pruning in PKI 11.3.
Ensure that the certificate and request ID generators are configured to use RSNv3. See Configuring CA with Random Serial Numbers v3.
The pruning configuration is stored in /var/lib/pki/pki-tomcat/conf/ca/CS.cfg
. It is necessary to restart the CA after making configuration changes.
By default the pruning job is disabled. To enable the pruning job:
$ pki-server ca-config-set jobsScheduler.job.pruning.enabled true
The pruning job can only be accessed and triggered by the job owner.
By default the job is owned by members of the Administrators
group.
To configure an additional owner:
$ pki-server ca-config-set jobsScheduler.job.pruning.owner <username>
By default an expired certificate will be retained for 30 days before it will be pruned. When an expired certificate is pruned, the corresponding request will also be pruned. To configure certificate retention period:
$ pki-server ca-config-set jobsScheduler.job.pruning.certRetentionTime 30 $ pki-server ca-config-set jobsScheduler.job.pruning.certRetentionUnit day
Valid retention units: minute
, hour
, day
, year
.
By default the pruning job will look for at most 1000 certificates without time limit. To configure certificate search constraints:
$ pki-server ca-config-set jobsScheduler.job.pruning.certSearchSizeLimit 1000 $ pki-server ca-config-set jobsScheduler.job.pruning.certSearchTimeLimit 0
The time limit is expressed in seconds. A value of 0
indicates there is no time limit.
By default an incomplete request will be retained for 30 days before it will be pruned. To configure request retention period:
$ pki-server ca-config-set jobsScheduler.job.pruning.requestRetentionTime 30 $ pki-server ca-config-set jobsScheduler.job.pruning.requestRetentionUnit day
Valid retention units: minute
, hour
, day
, year
.
By default the pruning job will look for at most 1000 requests without time limit. To configure request search constraints:
$ pki-server ca-config-set jobsScheduler.job.pruning.requestSearchSizeLimit 1000 $ pki-server ca-config-set jobsScheduler.job.pruning.requestSearchTimeLimit 0
The time limit is expressed in seconds. A value of 0
indicates there is no time limit.
To trigger pruning job manually, ensure the owner’s certificate is installed on the client, then execute the following command:
$ pki -n <nickname> ca-job-start pruning
To trigger pruning job automatically using the internal scheduler, add the following parameter, then restart the CA:
$ pki-server ca-config-set jobsScheduler.job.pruning.cron "0 0 1 * *"
In the above example the job is scheduled to run at 12:00am on the first day of each month.
Alternatively, the pruning job can also be triggered using an external scheduler (e.g. cron
).
Ensure the owner’s certificate is installed on the client, then configure the scheduler to execute the following command:
$ pki -n <nickname> ca-job-start pruning