On to, 19 tammi 2017, Bret Wortman wrote:
It seems all our certs being signed by the FreeIPA CA are given 2 year
expirations. We'd like to increase that to 5 years. I've added "-v 60"
to our certutil commands generating the CSRs, but the CA is still only
issuing 24 month certs.
What do I need to change to issue certs with longer lifetimes? We
really don't want to go around every 2 years and reissue certs...
You need to update your certificate profile.
Something like
ipa certprofile-show caIPAserviceCert --out=caIPAserviceCert.profile
edit file.profile and change the constraint and the default for
Validity:
policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
policyset.serverCertSet.2.constraint.name=Validity Constraint
policyset.serverCertSet.2.constraint.params.notAfterCheck=false
policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
policyset.serverCertSet.2.constraint.params.range=740
policyset.serverCertSet.2.default.class_id=validityDefaultImpl
policyset.serverCertSet.2.default.name=Validity Default
policyset.serverCertSet.2.default.params.range=731
policyset.serverCertSet.2.default.params.startTime=0
The value is in days and by default is 2*365+1 while constraint is
2*365+10 days.
After you changed them so that default is less than the constraint,
update the profile:
ipa certprofile-mod caIPAserviceCert --file=caIPAserviceCert.profile
Now you can re-submit the request to get the certificate updated.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
