On 11/17/20 3:56 PM, Harald Dunkel via FreeIPA-users wrote:

Hi folks,

how can I list the expiration dates of the ca certificate chain, before it is too late? External ca.

Regards Harri _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...

Hi,

the cert chain should be stored in /etc/ipa/ca.crt. If there is a single certificate in the file, you can use # openssl x509 -noout -text -in /etc/ipa/ca.crt and look for the validity stored in "Not After".

If the file contains multiple certificates (openssl displays only the information for the first one), you will need another tool: # openssl crl2pkcs7 -nocrl -certfile /etc/ipa/ca.crt | openssl pkcs7 -print_certs -text -noout Same thing, check for "Not after".

HTH, flo