[pve-devel] [PATCH manager] certs: early renew long-lived certificates
Thomas Lamprecht
t.lamprecht at proxmox.com
Thu Apr 23 21:42:33 CEST 2020
On 4/23/20 1:59 PM, Fabian Grünbichler wrote:
> On April 23, 2020 1:07 pm, Dominik Csapak wrote:
>> LGTM
>>
>> maybe we should shorten the lifespan to 1 year already?
>> according to [0], safari on macos will reject certs
>> that are longer valid than 398 days, when issued on/after
>> 2020-09-01
>>
>> 0: https://support.apple.com/en-us/HT211025
>>
>
> forgot to include this tidbit: that change was actually the reason for
> looking at it, but it only affects certificates issued by CAs shipped in
> the Apple Trust Stores, not those issued by CAs manually trusted by a
> user. so our self-signed CA and its certificates are not affected (for
> now).
This all makes me thinking... Wouldn't we need to have the PMG also adapt
to this? Checked a very recently from (new test) ISO installed test VM gets
me a 10 year certificate lifespan.. I mean, there more may use a "trusted"
one, but still..
More information about the pve-devel
mailing list