[Freeipa-users] Re: Is it possible to alter the default two-year expiration of derived certificates
Bo Lind via FreeIPA-users wrote:
I'm generating certificates for a bunch of not-enrolled,
not-certmonger-feasible services (our printer, for example) and I'd like
a little longer life cycle than the standard two years. I can't for the
life of me figure out where I can set that.
You'd have to create a custom profile. You can use the caIPAserviceCert
as a starting point.
Note that while issuing longer-lived certs is more convenient now I'd
recommend you have a plan on remembering to renew them in X years! Be
sure to well-document the process in case it's up to someone else to
manage it :-)
rob