此内容没有您所选择的语言版本。
17.4. Audit Retention
Audit data are required to be retained in a way according to their retention categories:
- Extended Audit Retention: Audit data that is retained for necessary maintenance for a certificate's lifetime (from issuance to its expiration or revocation date). In Certificate System, they appear in the following areas:
- Signed audit logs: All events defined in Appendix E. Audit Events of Red Hat Certificate System's Administration Guide.
- In the CA's internal LDAP server, certificate request records received by the CA and the certificate records as the requests are approved.
- Normal Audit Retention: Audit data that is typically retained only to support normal operation. This includes all events that do not fall under the extended audit retention category.
Note
Certificate System does not provide any interface to modify or delete audit data.
17.4.1. Location of Audit Data
This section explains where Certificate System stores audit data and where to find the expiration date which plays a crucial role to determine the retention category.
17.4.1.1. Location of Audit Logs
Certificate System stores audit logs in the
/var/log/pki-name/logs/signedAudit/
directory. For example, the audit logs of a CA are stored in the /var/lib/pki/instance_name/ca/logs/signedAudit/
directory. Normal users cannot access files in this directory. See
For a list of audit log events that need to follow the extended audit retention period, see the Audit events appendix in the Red Hat Certificate System Administration Guide.
Important
Do not delete any audit logs that contain any events listed in the "Extended Audit Events" appendix
for certificate requests or certificates that have not yet expired.
These audit logs will consume storage space potentially up to all space available in the disk partition.
17.4.1.2. Location of Certificate Requests and Certificate Records
When certificate signing requests (CSR) are submitted, the CA stores the CSRs in the request repository provided by the CA's internal directory server. When these requests are approved, each certificate issued successfully, will result in an LDAP record being created in the certificate repository by the same internal directory server.
The CA's internal directory server was specified in the following parameters when the CA was created using the
pkispawn
utility:
pki_ds_hostname
pki_ds_ldap_port
pki_ds_database
pki_ds_base_dn
If a certificate request has been approved successfully, the validity of the certificate can be viewed by accessing the CA EE portal either by request ID or by serial number.
To display the validity for a certificate request record:
- Log into the CA EE portal under
https://host_name:port/ca/ee/ca/
. - Click.
- Enter the Request Identifier.
- Click.
- Search for Validity.
To display the validity from a certificate record:
- Log into the CA EE portal under
https://host_name:port/ca/ee/ca/
. - Enter the serial number range. If you search for one specific record, enter the record's serial number in both the lowest and highest serial number field.
- Click on the search result.
- Search for Validity.
Important
Do not delete the request of the certificate records of the certificates that have not yet expired.