That could return many certificates:

- same subject, different service
- renewed certificate
- revoked certificate

The end user be responsible for sifting through the results. Acceptable?

Implementation note: we'd need a cert_find command for this. cert-show is limited to a single return entry.

As I've never tried, I'm not sure if you can add other identifying subject information to the certs issued (e.g. OU information) that might help filter the results. If you can't then, yes, several certificates would be returned by a subject query and you would have to sort through them.

Also, current CLI command does not return any revoked fields so it would be impossible to tell which certs were no longer valid from revocation.

It would certainly be nice to be able to filter by other attributes. Something like is currently available through the Dogtag UI (http://ipa.example.com:9180/ca/ee/ca/ - Retrieval tab and then Search Certificates), however, I would certainly be willing to sift through the results rather than having to try several serial numbers I think might be correct.

A revoked cert will have a revocation reason in the output from cert-show.

Was this added in upcoming 2.2? My 2.1.4 test install does not show this revocation information.

Oops I spoke too soon. I typed the wrong serial number.

One way to help sift through the certificates that would be listed by subject would be to allow more subject attributes. An OU could contain specify a host certificate or the service the cert is associated with. Currently IPA does not seem to allow for these extra attributes.

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=805200

Started design page: http://freeipa.org/page/Cert_find

Date searches are blocked by https://fedorahosted.org/pki/ticket/416

Because we are searching an external database will need to look into how we deal with search limits.

UI design will take place in related ticket #3419

master: 462beac

ipa-3-1: e5ab5eb