I'm generating CSRs like this:
# certutil -R -d $DB -a -g 2048 -v 60 -s "CN=${HOST},O=DAMASCUSGRP.COM" -8
${SHORTHOST},${HOST}
Then pasting this into the web interface of our IPA instance under
"Actions->New Certificate" on the host's page. I then use Actions->View
Certificate and see that it expires in 2019.
I want that cert to expire in 2022. What do I need to change to make
that happen, and what's the right way to do it? I looked at some of the
scripts & files under /etc/pki and see references to $DAYS that look to
do what I want, but I don't want to do something that'll get clobbered
at the next IPA upgrade.
Bret
On 01/19/2017 10:30 AM, Kimi Rachel wrote:
Mail
heyy Bret, how are you? lets talk details ..
On Thu, Jan 19, 2017 at 9:30 PM, Bret Wortman
<bret.wort...@damascusgrp.com <mailto:bret.wort...@damascusgrp.com>>
wrote:
It seems all our certs being signed by the FreeIPA CA are given 2
year expirations. We'd like to increase that to 5 years. I've
added "-v 60" to our certutil commands generating the CSRs, but
the CA is still only issuing 24 month certs.
What do I need to change to issue certs with longer lifetimes? We
really don't want to go around every 2 years and reissue certs...
--
*Bret Wortman*
Damascus Products
ph/fax: 1-855-644-2783
Wrap Buddies InDemand <wrapbuddies.co/store> at
http://bwortman.us/2ieQN4t
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
