On Tue, Mar 20, 2012 at 04:10:19PM -0400, Jimmy wrote:
> I restarted certmonger and it seems to be working. Is there some way
> to change the renewal interval so we can simulate this in the lab? I'd
> like to see it go through a number of renewals to make sure we don't
> keep having this problem.

Attempts to re-enroll are triggered as the not-valid-after date
approaches and you cross a threshold time-left value.

The default ("2419200, 604800, 259200, 172800, 86400", which works out
to 28, 7, 3, 2, and 1 day, when you convert from seconds to days) can be
modified by setting the "ttls" value in the [defaults] section of
/etc/certmonger/certmonger.conf.

To avoid going nuts, the daemon will actually hold off on certificates
with a not-before value that's not at least an hour in the past, so
adding a really high "ttls" value (say, longer than the certificate's
entire validity period) should force frequent re-enrollments, though I
haven't done this myself.

HTH,

Nalin

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to