On to, 19 tammi 2017, Bret Wortman wrote:
It seems all our certs being signed by the FreeIPA CA are given 2 year expirations. We'd like to increase that to 5 years. I've added "-v 60" to our certutil commands generating the CSRs, but the CA is still only issuing 24 month certs.


What do I need to change to issue certs with longer lifetimes? We really don't want to go around every 2 years and reissue certs...
You need to update your certificate profile.

Something like

ipa certprofile-show caIPAserviceCert --out=caIPAserviceCert.profile

edit file.profile and change the constraint and the default for
Validity:

policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
policyset.serverCertSet.2.constraint.name=Validity Constraint
policyset.serverCertSet.2.constraint.params.notAfterCheck=false
policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
policyset.serverCertSet.2.constraint.params.range=740
policyset.serverCertSet.2.default.class_id=validityDefaultImpl
policyset.serverCertSet.2.default.name=Validity Default
policyset.serverCertSet.2.default.params.range=731
policyset.serverCertSet.2.default.params.startTime=0

The value is in days and by default is 2*365+1 while constraint is
2*365+10 days.

After you changed them so that default is less than the constraint,
update the profile:

ipa certprofile-mod caIPAserviceCert --file=caIPAserviceCert.profile

Now you can re-submit the request to get the certificate updated.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to