[Freeipa-users] Signing certs with longer lifetimes (FreeIPA CA)
Bret Wortman
bret.wortman at damascusgrp.com
Thu Jan 19 15:55:12 UTC 2017
I'm generating CSRs like this:
# certutil -R -d $DB -a -g 2048 -v 60 -s "CN=${HOST},O=DAMASCUSGRP.COM" -8 ${SHORTHOST},${HOST}
Then pasting this into the web interface of our IPA instance under
"Actions->New Certificate" on the host's page. I then use Actions->View
Certificate and see that it expires in 2019.
I want that cert to expire in 2022. What do I need to change to make
that happen, and what's the right way to do it? I looked at some of the
scripts & files under /etc/pki and see references to $DAYS that look to
do what I want, but I don't want to do something that'll get clobbered
at the next IPA upgrade.
Bret
On 01/19/2017 10:30 AM, Kimi Rachel wrote:
> Mail
>
> heyy Bret, how are you? lets talk details ..
>
>
> On Thu, Jan 19, 2017 at 9:30 PM, Bret Wortman
> <bret.wortman at damascusgrp.com <mailto:bret.wortman at damascusgrp.com>>
> wrote:
>
> It seems all our certs being signed by the FreeIPA CA are given 2
> year expirations. We'd like to increase that to 5 years. I've
> added "-v 60" to our certutil commands generating the CSRs, but
> the CA is still only issuing 24 month certs.
>
> What do I need to change to issue certs with longer lifetimes? We
> really don't want to go around every 2 years and reissue certs...
>
>
> --
> *Bret Wortman*
> Damascus Products
> ph/fax: 1-855-644-2783
> Wrap Buddies InDemand <wrapbuddies.co/store> at
> http://bwortman.us/2ieQN4t
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170119/ab133c5f/attachment.htm>
More information about the Freeipa-users
mailing list