[Freeipa-users] (no subject)
Nalin Dahyabhai
nalin at redhat.com
Tue Mar 20 20:52:42 UTC 2012
On Tue, Mar 20, 2012 at 04:10:19PM -0400, Jimmy wrote:
> I restarted certmonger and it seems to be working. Is there some way
> to change the renewal interval so we can simulate this in the lab? I'd
> like to see it go through a number of renewals to make sure we don't
> keep having this problem.
Attempts to re-enroll are triggered as the not-valid-after date
approaches and you cross a threshold time-left value.
The default ("2419200, 604800, 259200, 172800, 86400", which works out
to 28, 7, 3, 2, and 1 day, when you convert from seconds to days) can be
modified by setting the "ttls" value in the [defaults] section of
/etc/certmonger/certmonger.conf.
To avoid going nuts, the daemon will actually hold off on certificates
with a not-before value that's not at least an hour in the past, so
adding a really high "ttls" value (say, longer than the certificate's
entire validity period) should force frequent re-enrollments, though I
haven't done this myself.
HTH,
Nalin
More information about the Freeipa-users
mailing list