Removing expired certificates from LDS (new ver of ADAM)
Posted
by jonthebrewer
on Stack Overflow
See other posts from Stack Overflow
or by jonthebrewer
Published on 2010-03-05T02:53:57Z
Indexed on
2010/03/08
0:12 UTC
Read the original article
Hit count: 864
Hi all.
This is my situation:
We are in the process of replacing a certificate store currently hosted on Sun's iPlanet with Microsoft's Lightweight Directory Services (new version of ADAM with Server 2008).
These certificates have been imported into LDS into an application partition (say o=myorg, C=AU). Under this structure I have around 40,000 OU's each one representing a customer under each customers OU are one or more user (iNetOrg) objects (around 60,000 in all). In each user are one or more certificates in the UserCertificate attribute.
A combination of in-house written application code and proprietory PKI code reads and publishes these certficates to validate financial transactions.
As the LDAP path of the certificates is stored within the customer certificates (and within the application code) and there is zero appetite for changing any of the code, I have had to pick up the iPlanet directory as a whole and dump it in LDS in the same structure.
(I will not be using or hosting a Microsoft CA, just implementing an LDAP compliant directory to host these certificates)
We have fully tested the application using the data in LDS and everything works fine - here is my dilema and question (finally, phew!)
There was no process put in place for removing revoked or expired certificates, consequently the vast majority of the data is completely useless, the system has been running for about 8 years! I have done a quick analysis and I estimate that at least 80% of the data is no longer valid.
As I am taking on responsibility for managing the directory I would like to start with a clean directory. Does anyone have any idea how I can cleanup these expired certificates. I am not a highly experienced scripter but have some background in VB. I have been researching the use of CAPICOM and have a feeling this may be able to be used but in exactly what way I am not sure??
I would prefer to write a script that I could specify an expiration date (say any certs that expired prior to 2010) then run against the LDS paritition. This way I can reuse the script periodically to cleanup the directory (as mentioned above - I have no way to adjust the applications that are writing the certs, this is with a third party).
Another, less attractive, alternative is to massage the LDIF file (2.7 million lines!) to rip the certs out prior to the import
Any help and advice MUCH appreciated.
Cheers
Jon
© Stack Overflow or respective owner