subject:"Re\: \[Freeipa\-users\] Signing certs with longer lifetimes \(FreeIPA CA\)"

Re: [Freeipa-users] Signing certs with longer lifetimes (FreeIPA CA)

2017-01-19 Thread Alexander Bokovoy


On to, 19 tammi 2017, Bret Wortman wrote:
It seems all our certs being signed by the FreeIPA CA are given 2 year 
expirations. We'd like to increase that to 5 years. I've added "-v 60" 
to our certutil commands generating the CSRs, but the CA is still only 
issuing 24 month certs.


What do I need to change to issue certs with longer lifetimes? We 
really don't want to go around every 2 years and reissue certs...

You need to update your certificate profile.

Something like

ipa certprofile-show caIPAserviceCert --out=caIPAserviceCert.profile

edit file.profile and change the constraint and the default for
Validity:

policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
policyset.serverCertSet.2.constraint.name=Validity Constraint
policyset.serverCertSet.2.constraint.params.notAfterCheck=false
policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
policyset.serverCertSet.2.constraint.params.range=740
policyset.serverCertSet.2.default.class_id=validityDefaultImpl
policyset.serverCertSet.2.default.name=Validity Default
policyset.serverCertSet.2.default.params.range=731
policyset.serverCertSet.2.default.params.startTime=0

The value is in days and by default is 2*365+1 while constraint is
2*365+10 days.

After you changed them so that default is less than the constraint,
update the profile:

ipa certprofile-mod caIPAserviceCert --file=caIPAserviceCert.profile 



Now you can re-submit the request to get the certificate updated.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Signing certs with longer lifetimes (FreeIPA CA)

2017-01-19 Thread Bret Wortman


I'm generating CSRs like this:

   # certutil -R -d $DB -a -g 2048 -v 60 -s "CN=${HOST},O=DAMASCUSGRP.COM" -8 
${SHORTHOST},${HOST}

Then pasting this into the web interface of our IPA instance under 
"Actions->New Certificate" on the host's page. I then use Actions->View 
Certificate and see that it expires in 2019.


I want that cert to expire in 2022. What do I need to change to make 
that happen, and what's the right way to do it? I looked at some of the 
scripts & files under /etc/pki and see references to $DAYS that look to 
do what I want, but I don't want to do something that'll get clobbered 
at the next IPA upgrade.



Bret


On 01/19/2017 10:30 AM, Kimi Rachel wrote:

Mail

heyy Bret, how are you? lets talk details ..


On Thu, Jan 19, 2017 at 9:30 PM, Bret Wortman 
> 
wrote:


It seems all our certs being signed by the FreeIPA CA are given 2
year expirations. We'd like to increase that to 5 years. I've
added "-v 60" to our certutil commands generating the CSRs, but
the CA is still only issuing 24 month certs.

What do I need to change to issue certs with longer lifetimes? We
really don't want to go around every 2 years and reissue certs...


-- 
*Bret Wortman*

Damascus Products
ph/fax: 1-855-644-2783
Wrap Buddies InDemand  at
http://bwortman.us/2ieQN4t




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Signing certs with longer lifetimes (FreeIPA CA)

Re: [Freeipa-users] Signing certs with longer lifetimes (FreeIPA CA)

2 matches

Site Navigation

Mail list logo

Footer information