Configuring Certificate Status Update Task - dogtagpki/pki GitHub Wiki
The CA has a task that will periodically update the status of the certificates in the database based on the server’s current time.
The certificate status is stored in certStatus
attribute in the certificate record, for example:
dn: cn=...,ou=certificateRepository,ou=ca,dc=ca,dc=pki,dc=example,dc=com ... notBefore: 20210401173719Z notAfter: 20230322173719Z ... certStatus: VALID ...
The task will execute the following operations:
-
update all
INVALID
certificates whosenotBefore <= <current time>
intoVALID
-
update all
VALID
certificates whosenotAfter <= <current time>
intoEXPIRED
-
update all
REVOKED
certificates whosenotAfter <= <current time>
intoREVOKED_EXPIRED
By default the task is configured as follows in /var/lib/pki/pki-tomcat/conf/ca/CS.cfg
:
ca.transitRecordPageSize=200 ca.transitMaxRecords=1000000
where:
-
ca.certStatusUpdateInterval
indicates the update interval in seconds (default:600
). Value0
disables the task. -
ca.transitRecordPageSize
indicates the VLV page size used in each operation (default:200
). -
ca.transitMaxRecords
indicates the number of certificates to process in each run (default:1000000
).
Note: The task is disabled by default in CA clone:
ca.certStatusUpdateInterval=0
To change the configuration, update the parameters in the CS.cfg
, then restart the server.