[Freeipa-users] Signing certs with longer lifetimes (FreeIPA CA)
Alexander Bokovoy
abokovoy at redhat.com
Thu Jan 19 15:57:06 UTC 2017
On to, 19 tammi 2017, Bret Wortman wrote:
>It seems all our certs being signed by the FreeIPA CA are given 2 year
>expirations. We'd like to increase that to 5 years. I've added "-v 60"
>to our certutil commands generating the CSRs, but the CA is still only
>issuing 24 month certs.
>
>What do I need to change to issue certs with longer lifetimes? We
>really don't want to go around every 2 years and reissue certs...
You need to update your certificate profile.
Something like
ipa certprofile-show caIPAserviceCert --out=caIPAserviceCert.profile
edit file.profile and change the constraint and the default for
Validity:
policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
policyset.serverCertSet.2.constraint.name=Validity Constraint
policyset.serverCertSet.2.constraint.params.notAfterCheck=false
policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
policyset.serverCertSet.2.constraint.params.range=740
policyset.serverCertSet.2.default.class_id=validityDefaultImpl
policyset.serverCertSet.2.default.name=Validity Default
policyset.serverCertSet.2.default.params.range=731
policyset.serverCertSet.2.default.params.startTime=0
The value is in days and by default is 2*365+1 while constraint is
2*365+10 days.
After you changed them so that default is less than the constraint,
update the profile:
ipa certprofile-mod caIPAserviceCert --file=caIPAserviceCert.profile
Now you can re-submit the request to get the certificate updated.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list