DecisionFunc and certificate clean up

[RonniSkansing]

What is your question?

When using the certmagic.OnDemandConfig does certmagic automatically clean up
certificate storage, when a domain is no longer allowed?

Example:

certmagic.Default.OnDemand = &certmagic.OnDemandConfig{
	DecisionFunc: func(name string) error {
            // check in DB if name should have managed TLS
            isAllowed := check(name)
            if !isAllowed {
              // will a previously allowed domain be cleaned up when it changes 
              // from allowed to not allowed?
              return fmt.Errorf("Not allowed: %s", name)
            }
            return nil
	},
}

Also, I am assuming caching does so the DecisionFunc is not call everytime when a name has been allowed.
So when a domain goes from being allowed to not allowed, is there a function or logic that must be followed
to bust the cache for that name, should I manually revoke and/or delete the certificate files?

What have you already tried?

I tried looking into the source files, but been unable to conclude the exact behavior or how it is handled with DecisionFunc

[francislavoie]

The unused cert will stay in storage until it expires, then it will be deleted once expired. So it'll stay in storage for up to 90 days.

[mholt]

We wait until some time after it expires just in case it's useful to have around for any sort of investigations but yeah, it'll be cleaned up automatically later.

Do NOT revoke certificates unless a private key has been compromised.