17.4. Audit Retention

Audit data are required to be retained in a way according to their retention categories:
  • Extended Audit Retention: Audit data that is retained for necessary maintenance for a certificate's lifetime (from issuance to its expiration or revocation date). In Certificate System, they appear in the following areas:
    • Signed audit logs: All events defined in Appendix E. Audit Events of Red Hat Certificate System's Administration Guide.
    • In the CA's internal LDAP server, certificate request records received by the CA and the certificate records as the requests are approved.
  • Normal Audit Retention: Audit data that is typically retained only to support normal operation. This includes all events that do not fall under the extended audit retention category.

Note

Certificate System does not provide any interface to modify or delete audit data.

17.4.1. Location of Audit Data

This section explains where Certificate System stores audit data and where to find the expiration date which plays a crucial role to determine the retention category.

17.4.1.1. Location of Audit Logs

Certificate System stores audit logs in the /var/log/pki-name/logs/signedAudit/ directory. For example, the audit logs of a CA are stored in the /var/lib/pki/instance_name/ca/logs/signedAudit/ directory. Normal users cannot access files in this directory. See
For a list of audit log events that need to follow the extended audit retention period, see the Audit events appendix in the Red Hat Certificate System Administration Guide.

Important

Do not delete any audit logs that contain any events listed in the "Extended Audit Events" appendix for certificate requests or certificates that have not yet expired.
These audit logs will consume storage space potentially up to all space available in the disk partition.

17.4.1.2. Location of Certificate Requests and Certificate Records

When certificate signing requests (CSR) are submitted, the CA stores the CSRs in the request repository provided by the CA's internal directory server. When these requests are approved, each certificate issued successfully, will result in an LDAP record being created in the certificate repository by the same internal directory server.
The CA's internal directory server was specified in the following parameters when the CA was created using the pkispawn utility:
  • pki_ds_hostname
  • pki_ds_ldap_port
  • pki_ds_database
  • pki_ds_base_dn
If a certificate request has been approved successfully, the validity of the certificate can be viewed by accessing the CA EE portal either by request ID or by serial number.
To display the validity for a certificate request record:
  1. Log into the CA EE portal under https://host_name:port/ca/ee/ca/.
  2. Click Check Request Status.
  3. Enter the Request Identifier.
  4. Click Issued Certificate.
  5. Search for Validity.
To display the validity from a certificate record:
  1. Log into the CA EE portal under https://host_name:port/ca/ee/ca/.
  2. Enter the serial number range. If you search for one specific record, enter the record's serial number in both the lowest and highest serial number field.
  3. Click on the search result.
  4. Search for Validity.

Important

Do not delete the request of the certificate records of the certificates that have not yet expired.