#7827 Root CA lifetime needs to be capped at 2038
Opened 5 years ago by abbra. Modified 4 years ago

Default root CA lifetime is set to 20 years in FreeIPA. This means installations done since January 2019 are now using expiration time that will not be accepted by Kerberos PKINIT (and may be other areas). This is going to be a big investigation but for time being we should cap the lifetime of the root CA at 2038 timestamp during install.


Metadata Update from @abbra:
- Issue set to the milestone: FreeIPA 4.6

5 years ago

Metadata Update from @abbra:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1660877

5 years ago

To do that, before pkispawn, we'd have to edit /usr/share/pki/ca/profiles/ca/caCACert.cfg (at least, maybe others?) and set policyset.caCertSet.2.constraint.params.range to a computed number of days between current_date and 2037-12-30 (or so: 2037-11-30 seems smarter, just because it does not seem to fall within an holiday period). This variable is hardcoded to 7305 days.

However: /usr/share/pki/ca/profiles/ca/caCACert.cfg is NOT a configuration file (e.g. not %config(noreplace) in the RPM), so modifying it feels wrong. Moreover, /usr can be mounted read-only (suggested by @rcritten ).

The proper way to fix this is (suggested by @dmoluguw ) to switch to DogTag's two-step installation:
https://www.dogtagpki.org/wiki/Two-Step_Installation
Essentially invoking pkispawn with --skip-configuration first, editing the profile in /var, then relaunching pkispawn with --skip-installation.

Login to comment on this ticket.

Metadata