Re: [Freeipa-users] Signing certs with longer lifetimes (FreeIPA CA)
On to, 19 tammi 2017, Bret Wortman wrote: It seems all our certs being signed by the FreeIPA CA are given 2 year expirations. We'd like to increase that to 5 years. I've added "-v 60" to our certutil commands generating the CSRs, but the CA is still only issuing 24 month certs. What do I need to change to issue certs with longer lifetimes? We really don't want to go around every 2 years and reissue certs... You need to update your certificate profile. Something like ipa certprofile-show caIPAserviceCert --out=caIPAserviceCert.profile edit file.profile and change the constraint and the default for Validity: policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl policyset.serverCertSet.2.constraint.name=Validity Constraint policyset.serverCertSet.2.constraint.params.notAfterCheck=false policyset.serverCertSet.2.constraint.params.notBeforeCheck=false policyset.serverCertSet.2.constraint.params.range=740 policyset.serverCertSet.2.default.class_id=validityDefaultImpl policyset.serverCertSet.2.default.name=Validity Default policyset.serverCertSet.2.default.params.range=731 policyset.serverCertSet.2.default.params.startTime=0 The value is in days and by default is 2*365+1 while constraint is 2*365+10 days. After you changed them so that default is less than the constraint, update the profile: ipa certprofile-mod caIPAserviceCert --file=caIPAserviceCert.profile Now you can re-submit the request to get the certificate updated. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Signing certs with longer lifetimes (FreeIPA CA)
I'm generating CSRs like this: # certutil -R -d $DB -a -g 2048 -v 60 -s "CN=${HOST},O=DAMASCUSGRP.COM" -8 ${SHORTHOST},${HOST} Then pasting this into the web interface of our IPA instance under "Actions->New Certificate" on the host's page. I then use Actions->View Certificate and see that it expires in 2019. I want that cert to expire in 2022. What do I need to change to make that happen, and what's the right way to do it? I looked at some of the scripts & files under /etc/pki and see references to $DAYS that look to do what I want, but I don't want to do something that'll get clobbered at the next IPA upgrade. Bret On 01/19/2017 10:30 AM, Kimi Rachel wrote: Mail heyy Bret, how are you? lets talk details .. On Thu, Jan 19, 2017 at 9:30 PM, Bret Wortman> wrote: It seems all our certs being signed by the FreeIPA CA are given 2 year expirations. We'd like to increase that to 5 years. I've added "-v 60" to our certutil commands generating the CSRs, but the CA is still only issuing 24 month certs. What do I need to change to issue certs with longer lifetimes? We really don't want to go around every 2 years and reissue certs... -- *Bret Wortman* Damascus Products ph/fax: 1-855-644-2783 Wrap Buddies InDemand at http://bwortman.us/2ieQN4t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project