Hi,
> You mentioned:
>> You are trying to issue certificates with a validity of one year with a
>> signer that is not capable of doing >so (because it expires earlier than
>> that).
>> In other words, your PKI is not properly maintained, and it has now reached
>> a state where it cannot >operate properly any longer. You should have
>> performed a CA rollover earlier to maintain operational
>> capability.
>
>> Your options now are
>> - perform the CA rollover (better late than never)
>> - reduce the validity of end entity certificates so they fit in the
>> remaining CA validity
>
> I don't think CA rollover is possible at this stage, where I am trying to
> bring the openXpki system up for the first time, during a new install. Is it
> something I can fix by modifying the scep endpoint YAML file?
This is strange, as the sampleconfig script (which we definitely not recommend
to use for production setups) creates a CA with 2 years validity.
Anyway. The easiest way is to reduce the validity of the issued certificates to
e. g. 6 months so it fits in the remaining CA validity.
Edit config.d/realm.tpl/profile/default.yaml and change
validity:
notafter: +01
to something shorter, e. g.
validity:
notafter: +0006
Restart the server and retry (and note that this will only buy you another 6
months...)
Cheers
Martin
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
