Remove unwanted CAs and CA Profiles

Help
Randy Best
2013-08-29
2013-09-05
  • Randy Best
    Randy Best
    2013-08-29

    We use this splendid product in our LAB. I am trying to clean up all unwanted test/exploratory CAs. I revoked/deleted all certs, revoked the CAs etc. How to I vaporize all the unwanted CAs? All attempts with the ADMIN GUI fail.

     
  • Since the main purpose of a CA is to maintain auditability trace, vaporizing a CA was never meant to be easy. It will not allow you to break references between users, profiles and CAs. I'd say you need to manually clean the database.

    Trying to convert a LAB CA into production is not recommended. You'll be better of testing your proceedures in the lab and re-installing everything in production.

    Cheers,
    Tomas


    PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see www.primekey.se or contact info@primekey.se for more information.
    http://www.primekey.se/Services/Support/
    http://www.primekey.se/Services/Training/

     
    • Randy Best
      Randy Best
      2013-09-04

      I am only trying to avoid standing up another LAB/non-production instance, not a production version (I understand that drill) I truly need to vaporize assorted junk CAs. Is there a post that contains "manually clean the database" info, any ordering, linkages that one must be careful of whilst driving MySQL?

      Cheers,

      Randy

       
  • Check out the database schema at http://www.ejbca.org/library/index.html.

    CAData holds the CA and certificates and users are linked through issuerDNs and such. We have no guide for such manual cleaning, but usually recommend "drop database; create database" :-)

    You can vaporize the CAs simply by deleting the entries in CAData. This will leave issued certificates etc still in CertificateData, but that will not hurt unless you have very limied space in your database.

    Cheers,
    Tomas