<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>I'm generating CSRs like this:</p>
    <blockquote>
      <pre># certutil -R -d $DB -a -g 2048 -v 60 -s "CN=${HOST},O=DAMASCUSGRP.COM" -8 ${SHORTHOST},${HOST}
</pre>
    </blockquote>
    Then pasting this into the web interface of our IPA instance under
    "Actions->New Certificate" on the host's page. I then use
    Actions->View Certificate and see that it expires in 2019.<br>
    <br>
    I want that cert to expire in 2022. What do I need to change to make
    that happen, and what's the right way to do it? I looked at some of
    the scripts & files under /etc/pki and see references to $DAYS
    that look to do what I want, but I don't want to do something
    that'll get clobbered at the next IPA upgrade.<br>
    <br>
    <br>
    Bret<br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 01/19/2017 10:30 AM, Kimi Rachel
      wrote:<br>
    </div>
    <blockquote cite="mid:79c62d4b7840053125ee8bb668d289ae@localhost"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      <title>Mail</title>
      <p>heyy Bret, how are you? lets talk details ..</p>
      <div style="color: #500050; direction: ltr; font-family:
        arial,sans-serif; border-collapse: collapse; border-spacing: 0;"><br>
        <div class="gmail_quote">On Thu, Jan 19, 2017 at 9:30 PM, Bret
          Wortman <span dir="ltr"><<a moz-do-not-send="true"
              style="color: #15c;" target="_blank"
              href="mailto:bret.wortman@damascusgrp.com">bret.wortman@damascusgrp.com</a>></span>
          wrote:<br>
          <blockquote style="border-left: 1px solid rgb(204, 204, 204);
            margin: 0px 0px 0px 0.8ex; padding-left: 1ex;">
            <div style="color: #500050;">
              <meta http-equiv="content-type" content="text/html;
                charset=windows-1252">
              <p>It seems all our certs being signed by the FreeIPA CA
                are given 2 year expirations. We'd like to increase that
                to 5 years. I've added "-v 60" to our certutil commands
                generating the CSRs, but the CA is still only issuing 24
                month certs.</p>
              <p>What do I need to change to issue certs with longer
                lifetimes? We really don't want to go around every 2
                years and reissue certs...<br>
              </p>
              <br>
              <div class="moz-signature">-- <br>
                <div><b>Bret Wortman</b></div>
                <div>Damascus Products</div>
                <div>ph/fax: 1-855-644-2783</div>
                <div><a moz-do-not-send="true"
                    href="wrapbuddies.co/store">Wrap Buddies InDemand</a>
                  at <a moz-do-not-send="true"
                    class="moz-txt-link-freetext"
                    href="http://bwortman.us/2ieQN4t">http://bwortman.us/2ieQN4t</a><br>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </body>
</html>