gogrlx/nats-server
1
0
Fork 0
mirror of https://github.com/gogrlx/nats-server.git synced 2026-04-02 03:38:42 -07:00
Code Issues Packages Projects Releases Wiki Activity

Set cert lifetime on CA cert too

Browse Source 
This was an oversight when automating: we use the `req -x509` approach to
create the CA cert, which didn't pick up the defaults set for other stuff and
so defaulted to 30 days.

Abstract out CERT_DURATION and use for both the cert defaults and the CA's own
lifetime.
This commit is contained in:
Phil Pennock
2022-08-27 16:21:24 -04:00
parent d73ca7d468
commit 444e56b425
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
test/configs/certs/regenerate_top.sh
View File

@@ -23,6 +23,7 @@ CA_NAME="Certificate Authority $(date +%Y-%m-%d)"
readonly CA_NAME
readonly RSA_SIZE=2048
readonly DIGEST_ALG=sha256
readonly CERT_DURATION=$((10 * 365))
okay=true
for cmd in openssl ; do
@@ -77,7 +78,7 @@ private_key = \$dir/$TEMP_CA_KEY_REL
rand_serial = yes
unique_subject = no
# modern TLS is moving towards rejecting longer-lived certs, be prepared to lower this to less than a year and regenerate more often
default_days = $(( 10 * 365 ))
default_days = $CERT_DURATION
default_md = $DIGEST_ALG
copy_extensions = copy
policy = policy_anything
@@ -172,7 +173,7 @@ sign_csr() {
}
make_keyfile "$CA_KEY"
o_req -x509 -new -key "$CA_KEY" -out "$CA_FILE" -outform PEM -subj "$COMMON_SUBJECT/CN=$CA_NAME" -extensions v3_ca
o_req -x509 -new -key "$CA_KEY" -out "$CA_FILE" -outform PEM -days "$CERT_DURATION" -subj "$COMMON_SUBJECT/CN=$CA_NAME" -extensions v3_ca
echo
readonly CLIENT_KEY=client-key.pem