Over time, certificates may be moved to the diagnostic section, marked as “expiring soon”. This is often the case after renewing certificates while leaving the old ones in place. Here’s a step-by-step guide on how to handle duplicate certificates and revoke the old ones.
Preparation: List Duplicate Certificates by Name
for i in $(univention-run-diagnostic-checks -t 02_certificate_check | awk -F "'" '/^Zertifikat / {print $2}'); do openssl x509 -noout -subject -in $i; done | awk -F "," '{print $6}' | awk '{print $3}'
This command checks the certificates marked in the diagnostics and extracts the relevant subject names for further inspection. You should write the list of subject names down before you proceed.
The following steps have to be repeated for every subject name that you’ve written down in preparation.
1. Find Certificate IDs of the Duplicates
univention-certificate list-all | grep CertificateName
Replace CertificateName with one of the subject name of the certificate you retrieved in the preparation step. This will help you identify the corresponding certificate IDs of the currently active certificate as well as the old one that shall be revoked. Those IDs will be needed for the next step.
2. Compare Expiry Dates
univention-certificate dump -id CertificateID1 | grep -i "not after"
univention-certificate dump -id CertificateID2 | grep -i "not after"
Here, replace CertificateID1 and CertificateID2 with the actual IDs of the step before.
Once you’ve identified which certificate has expired or is close to expiring, you can revoke it (step 3).
3. Revoke Expired Certificates
univention-certificate revoke -id CertificateID