Kees Bakker via FreeIPA-users wrote: > Hello, > > This subject has come up in the past [1]. I am looking for a way to > generate a certificate with a longer lifetime than two years, but I > don't want to modify the standard profile. > > Here is an idea and I want to know if this is a good or a bad idea. > > Basically I want to create a new profile (say, LongLivedServiceCert) and > copy everything from caIPAserviceCert except for > > policyset.serverCertSet.2.constraint.params.range=2200 > policyset.serverCertSet.2.default.params.range=2191 > profileId=LongLivedServiceCert > > > In other words: > > $ ipa certprofile-show caIPAserviceCert --out=caIPAserviceCert.profile > $ cp caIPAserviceCert.profile LongLivedServiceCert.profile > $ sed -i '/constraint.params.range/s/740/2200/' > LongLivedServiceCert.profile > $ sed -i '/default.params.range/s/731/2191/' > LongLivedServiceCert.profile > $ sed -i > '/default.params.range/s/caIPAserviceCert/LongLivedServiceCert/' > LongLivedServiceCert.profile > $ ipa certprofile-import LongLivedServiceCert \ > --file LongLivedServiceCert.profile \ > --desc 'Profile for network services with longer lifetime certs' \ > --store=true > > Will this work? > > [1] > https://listman.redhat.com/archives/freeipa-users/2017-January/026677.html > -- > Kees >
Yep, should be fine. You'll need to remember to add --profile/-T to certmonger commands when requesting the certs but renewals will use the defined profile. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
