Specifying when the CA certificate and web server certificates expire

By default, IKYSETUP creates a CA certificate that expires in 20 years and a web server SSL certificate that expires in five years from the date when the IKYSETUP script is run. If these expiration times are compliant with your security guidelines, no changes are needed to the ca_exyears, ca_expires, web_exyears, and web_expires variables in Table 1.

You can shorten or extend the lifetime of the CA certificate by altering the value of the ca_exyears variable. This variable specifies the lifetime of the CA certificate in years. The default value is 20. You can shorten or extend the lifetime of the web server certificate by altering the value of the web_exyears variable. The default value is 5. These variables are listed in IKYSETUP in "Part 3", in the subsection titled "Method 1". Ensure that the value for web_exyears is less than the value of ca_exyears. If it is not, the web server certificate might be added to the RACF® database with the NOTRUST option.

If your security guidelines require that the CA certificate and web server certificate expire at specific dates, you can set these expiration dates in IKYSETUP. Ensure that the web server certificate expires before the date that the CA certificate expires. If you do not, the web server certificate might be added to the RACF database with the NOTRUST option.