This bug is created as a clone of upstream ticket: https://fedorahosted.org/pki/ticket/466 This is a tracker related to the following FreeIPA ticket: https://fedorahosted.org/freeipa/ticket/3315 We should provide details on what profile changes are needed for FreeIPA to change it's default root CA certificate validity to longer (at least 15 years). The current validity is 8 years.
pushed to IPA_v2_RHEL_6_ERRATA_BRANCH: To ssh://vakwetu.org/git/pki.git aca889d..1596bcd IPA_v2_RHEL_6_ERRATA_BRANCH -> IPA_v2_RHEL_6_ERRATA_BRANCH
verified :: ]# openssl x509 -text -noout -in /etc/ipa/ca.crt Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: O=TESTRELM.COM, CN=Certificate Authority Validity Not Before: Jan 28 03:16:52 2013 GMT Not After : Jan 28 03:16:52 2033 GMT Subject: O=TESTRELM.COM, CN=Certificate Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e9:9b:35:26:c9:20:17:64:00:e5:ad:ee:cc:15: 51:ca:b4:b6:f4:50:66:b6:14:d8:36:fd:3d:cf:14: c3:cd:2b:d4:7d:de:30:bd:fe:54:21:29:37:55:3f: 77:c4:eb:d0:a3:5b:aa:34:c1:b5:06:a2:89:9b:d0: 50:4b:b7:fc:65:04:a8:6e:75:81:7c:90:f2:3e:5f: 0e:23:34:5d:41:63:fe:95:fa:7d:6c:86:14:eb:f8: 90:ab:2a:7d:97:0f:cb:2c:38:79:41:a7:e0:a6:02: f5:e5:8c:18:a1:ca:5c:c0:2a:a7:51:67:a2:1e:25: 22:88:79:4c:4d:ba:c8:4d:5a:07:50:f0:75:9d:4f: 08:ab:57:46:ad:e2:db:7f:0c:88:74:01:dd:91:d5: 92:eb:f6:26:94:fb:11:54:2f:12:77:36:da:28:23: 17:03:23:2d:16:a2:5a:c5:e9:4b:1b:04:1e:e0:1a: 6d:f7:95:24:4e:33:0a:84:56:c1:c1:0a:4c:b8:c8: b3:be:86:84:b5:5f:9b:82:18:92:d2:53:1c:15:94: 9f:0b:8e:38:60:c4:01:e2:cc:d5:39:26:7e:22:9d: 5d:f7:29:05:1e:04:c3:a9:c2:95:08:5a:ae:79:50: d9:9d:b4:33:21:f9:07:8c:c8:d8:31:cf:f6:2e:66: fa:63 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:17:98:CA:67:60:2B:83:7A:1B:A9:AD:C2:EF:FE:A1:E6:2B:4C:8D:70 X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Non Repudiation, Certificate Sign, CRL Sign X509v3 Subject Key Identifier: 17:98:CA:67:60:2B:83:7A:1B:A9:AD:C2:EF:FE:A1:E6:2B:4C:8D:70 Authority Information Access: OCSP - URI:http://cloud-qe-12.testrelm.com:80/ca/ocsp Signature Algorithm: sha256WithRSAEncryption a8:3f:f3:93:49:80:80:fd:11:cc:13:59:23:4a:c0:cf:5c:5a: f2:03:0b:f4:37:c3:1e:88:e2:d6:ad:2d:96:6b:98:c5:17:bf: 85:19:89:6e:41:e1:6b:57:8b:19:e2:1d:d4:bf:72:47:27:5f: c7:d6:9e:3d:10:b8:f8:7e:1b:cb:5e:32:cf:48:f3:31:fc:9f: 12:e4:48:c2:27:09:c3:2a:27:b8:8e:7b:bb:b5:92:6c:aa:93: 01:6a:8a:86:05:ce:58:f5:f2:e6:c7:d4:c0:ad:5d:b3:97:b5: c7:75:4a:81:3b:88:ac:35:c4:c4:59:6b:d7:6f:38:51:66:34: 6c:c5:8b:79:e2:fd:68:ae:98:08:c3:9c:3a:c3:cc:3b:fb:bf: 5f:da:61:59:c0:bd:89:6f:e6:10:84:4d:76:27:20:d3:fe:db: e1:45:d9:fc:3e:bd:19:00:df:42:6a:3e:48:ee:2d:64:e4:d1: 17:eb:53:ee:e0:fb:1b:3b:aa:a6:70:f8:8c:59:8c:19:85:10: ae:15:fb:5e:c7:0e:3a:f7:c4:7d:4d:62:6d:50:0d:5b:f2:75: 2a:6d:40:2e:06:86:3b:55:16:3a:21:20:40:07:b8:62:d3:55: 9d:7a:1a:3b:e5:ae:ca:1c:5c:66:b5:76:fd:e8:d1:40:f8:c1: 85:e3:fb:c3 <snip> Validity Not Before: Jan 28 03:16:52 2013 GMT Not After : Jan 28 03:16:52 2033 GMT </snip> Now valid for 20 years version :: ipa-server-3.0.0-24.el6.x86_64 pki-ca-9.0.3-30.el6.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0511.html