On my host(ipa-client) I already have a certificate with validity till 2022-05-30 (2 years)
sudo ipa-getcert list -i 20200529110800 | grep expires
expires: 2022-05-30 21:08:01 AEST
I want to have a certificate with 5-year validity.
On the Freeipa server
sudo ipa certprofile-show caIPAserviceCert --out=caIPAserviceCert.profile
Open the file caIPAserviceCert.profile and then update the below values
Update the value of below from 731(2*365+1) to 1826(5*365+1)
policyset.serverCertSet.2.default.params.range=1826
Update the value of below from 740(2*365+10) to 1835(5*365+10)
policyset.serverCertSet.2.constraint.params.range=1835
Run the below command to modify the default expiry date
sudo ipa certprofile-mod caIPAserviceCert --file=caIPAserviceCert.profile
Now, if you want to update your already installed certificates to have the new 5-year validity, run the below command on the host(ipa-client)
sudo ipa-getcert rekey -i 20200529110800
where 20200529110800 is the tracking request identifier
Now if we check the validity it should have 5 years
sudo ipa-getcert list -i 20200529110800 | grep expires
expires: 2025-05-29 21:46:31 AEST