Re: [Freeipa-users] Signing certs with longer lifetimes (FreeIPA CA)

2017-01-19 Thread Alexander Bokovoy
On to, 19 tammi 2017, Bret Wortman wrote: It seems all our certs being signed by the FreeIPA CA are given 2 year expirations. We'd like to increase that to 5 years. I've added "-v 60" to our certutil commands generating the CSRs, but the CA is still only issuing 24 month certs. What do I

Re: [Freeipa-users] Signing certs with longer lifetimes (FreeIPA CA)

2017-01-19 Thread Bret Wortman
I'm generating CSRs like this: # certutil -R -d $DB -a -g 2048 -v 60 -s "CN=${HOST},O=DAMASCUSGRP.COM" -8 ${SHORTHOST},${HOST} Then pasting this into the web interface of our IPA instance under "Actions->New Certificate" on the host's page. I then use Actions->View Certificate and see