[pve-devel] [PATCH manager] certs: early renew long-lived certificates
Fabian Grünbichler
f.gruenbichler at proxmox.com
Fri Apr 24 08:30:14 CEST 2020
On April 23, 2020 9:42 pm, Thomas Lamprecht wrote:
> On 4/23/20 1:59 PM, Fabian Grünbichler wrote:
>> On April 23, 2020 1:07 pm, Dominik Csapak wrote:
>>> LGTM
>>>
>>> maybe we should shorten the lifespan to 1 year already?
>>> according to [0], safari on macos will reject certs
>>> that are longer valid than 398 days, when issued on/after
>>> 2020-09-01
>>>
>>> 0: https://support.apple.com/en-us/HT211025
>>>
>>
>> forgot to include this tidbit: that change was actually the reason for
>> looking at it, but it only affects certificates issued by CAs shipped in
>> the Apple Trust Stores, not those issued by CAs manually trusted by a
>> user. so our self-signed CA and its certificates are not affected (for
>> now).
>
> This all makes me thinking... Wouldn't we need to have the PMG also adapt
> to this? Checked a very recently from (new test) ISO installed test VM gets
> me a 10 year certificate lifespan.. I mean, there more may use a "trusted"
> one, but still..
Apple's 825 days limit affects self-signed as well AFAIU. so yes, we
should probably port the renewal + shorten lifetime changes to PMG as
well.
More information about the pve-devel
mailing list