Hello,
This subject has come up in the past [1]. I am looking for a way to
generate a certificate with a longer lifetime than two years, but I
don't want to modify the standard profile.
Here is an idea and I want to know if this is a good or a bad idea.
Basically I want to create a new profile (say, LongLivedServiceCert) and
copy everything from caIPAserviceCert except for
policyset.serverCertSet.2.constraint.params.range=2200
policyset.serverCertSet.2.default.params.range=2191
profileId=LongLivedServiceCert
In other words:
$ ipa certprofile-show caIPAserviceCert --out=caIPAserviceCert.profile
$ cp caIPAserviceCert.profile LongLivedServiceCert.profile
$ sed -i '/constraint.params.range/s/740/2200/'
LongLivedServiceCert.profile
$ sed -i '/default.params.range/s/731/2191/'
LongLivedServiceCert.profile
$ sed -i
'/default.params.range/s/caIPAserviceCert/LongLivedServiceCert/'
LongLivedServiceCert.profile
$ ipa certprofile-import LongLivedServiceCert \
--file LongLivedServiceCert.profile \
--desc 'Profile for network services with longer lifetime certs' \
--store=true
Will this work?
[1]
https://listman.redhat.com/archives/freeipa-users/2017-January/026677.html
--
Kees
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
