[pve-devel] [PATCH manager] certs: early renew long-lived certificates

Fabian Grünbichler f.gruenbichler at proxmox.com
Fri Apr 24 08:30:14 CEST 2020


On April 23, 2020 9:42 pm, Thomas Lamprecht wrote:
> On 4/23/20 1:59 PM, Fabian Grünbichler wrote:
>> On April 23, 2020 1:07 pm, Dominik Csapak wrote:
>>> LGTM
>>>
>>> maybe we should shorten the lifespan to 1 year already?
>>> according to [0], safari on macos will reject certs
>>> that are longer valid than 398 days, when issued on/after
>>> 2020-09-01
>>>
>>> 0: https://support.apple.com/en-us/HT211025
>>>
>> 
>> forgot to include this tidbit: that change was actually the reason for 
>> looking at it, but it only affects certificates issued by CAs shipped in 
>> the Apple Trust Stores, not those issued by CAs manually trusted by a 
>> user. so our self-signed CA and its certificates are not affected (for 
>> now).
> 
> This all makes me thinking... Wouldn't we need to have the PMG also adapt
> to this? Checked a very recently from (new test) ISO installed test VM gets
> me a 10 year certificate lifespan.. I mean, there more may use a "trusted"
> one, but still..

Apple's 825 days limit affects self-signed as well AFAIU. so yes, we 
should probably port the renewal + shorten lifetime changes to PMG as 
well.




More information about the pve-devel mailing list