-
|
Hi there, I am doing my first steps with step-ca and I am really happy with the features and how it works! I was wondering, especially if using step-ca for SSH certificates with rather short expiration times with a certain amount of users, whether it would be necessary and good to clean up the database from potentially 10.000s of expired certificates "laying around". Does step-ca clean up its own database by itself at some point? Is this even good to do? From what I understand about certificates, once it is expired it could be deleted from the database as it will not be possible to use it for anything anymore, right? Hope this is not a too stupid question. Christian |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Hi Christian, Great question. Another reason we store certificates in the db is to aid reporting later on. One more thing. If you are using the default Badger database for step-ca, consider occasional garbage collection on the database. That could free up a lot of space for you. Automatic GC is something we've wanted to add to step-ca, but have not yet added. (See this issue). Hope this helps! |
Beta Was this translation helpful? Give feedback.
Hi Christian,
Great question.
One reason we store certs in a database is for passive revocation.
For example, SSH host certs are often renewed with the SSHPOP provisioner.
If you don't want a certificate to be renewable for any reason, you'd want to revoke it, using
step ssh revoke.This command uses the history of issued certificates to look up a cert to be revoked.
Another reason we store certificates in the db is to aid reporting later on.
But,
step-cadoesn't offer much in the way of reporting. We have a commercial version ofstep-cacalled Step CA Pro, that has a lot more of those features (OpenTelemetry, relational db schema, etc.).So, for expired certs, yes, you can clear those ou…