From 444e56b42573cd66a43329b72d2e18b97f8166a7 Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Sat, 27 Aug 2022 16:21:24 -0400 Subject: [PATCH] Set cert lifetime on CA cert too This was an oversight when automating: we use the `req -x509` approach to create the CA cert, which didn't pick up the defaults set for other stuff and so defaulted to 30 days. Abstract out CERT_DURATION and use for both the cert defaults and the CA's own lifetime. --- test/configs/certs/regenerate_top.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/test/configs/certs/regenerate_top.sh b/test/configs/certs/regenerate_top.sh index d0172545..bd8d7614 100755 --- a/test/configs/certs/regenerate_top.sh +++ b/test/configs/certs/regenerate_top.sh @@ -23,6 +23,7 @@ CA_NAME="Certificate Authority $(date +%Y-%m-%d)" readonly CA_NAME readonly RSA_SIZE=2048 readonly DIGEST_ALG=sha256 +readonly CERT_DURATION=$((10 * 365)) okay=true for cmd in openssl ; do @@ -77,7 +78,7 @@ private_key = \$dir/$TEMP_CA_KEY_REL rand_serial = yes unique_subject = no # modern TLS is moving towards rejecting longer-lived certs, be prepared to lower this to less than a year and regenerate more often -default_days = $(( 10 * 365 )) +default_days = $CERT_DURATION default_md = $DIGEST_ALG copy_extensions = copy policy = policy_anything @@ -172,7 +173,7 @@ sign_csr() { } make_keyfile "$CA_KEY" -o_req -x509 -new -key "$CA_KEY" -out "$CA_FILE" -outform PEM -subj "$COMMON_SUBJECT/CN=$CA_NAME" -extensions v3_ca +o_req -x509 -new -key "$CA_KEY" -out "$CA_FILE" -outform PEM -days "$CERT_DURATION" -subj "$COMMON_SUBJECT/CN=$CA_NAME" -extensions v3_ca echo readonly CLIENT_KEY=client-key.pem