I'm generating CSRs like this:

   # certutil -R -d $DB -a -g 2048 -v 60 -s "CN=${HOST},O=DAMASCUSGRP.COM" -8 

Then pasting this into the web interface of our IPA instance under "Actions->New Certificate" on the host's page. I then use Actions->View Certificate and see that it expires in 2019.

I want that cert to expire in 2022. What do I need to change to make that happen, and what's the right way to do it? I looked at some of the scripts & files under /etc/pki and see references to $DAYS that look to do what I want, but I don't want to do something that'll get clobbered at the next IPA upgrade.


On 01/19/2017 10:30 AM, Kimi Rachel wrote:

heyy Bret, how are you? lets talk details ..

On Thu, Jan 19, 2017 at 9:30 PM, Bret Wortman <bret.wort...@damascusgrp.com <mailto:bret.wort...@damascusgrp.com>> wrote:

    It seems all our certs being signed by the FreeIPA CA are given 2
    year expirations. We'd like to increase that to 5 years. I've
    added "-v 60" to our certutil commands generating the CSRs, but
    the CA is still only issuing 24 month certs.

    What do I need to change to issue certs with longer lifetimes? We
    really don't want to go around every 2 years and reissue certs...

-- *Bret Wortman*
    Damascus Products
    ph/fax: 1-855-644-2783
    Wrap Buddies InDemand <wrapbuddies.co/store> at

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to