[pve-devel] applied: [PATCH manager] certs: early renew long-lived certificates

Thomas Lamprecht t.lamprecht at proxmox.com
Mon Apr 27 18:29:21 CEST 2020


On 4/23/20 12:20 PM, Fabian Grünbichler wrote:
> if our self-signed certificate expires in more than 825 days, but was
> created after July 2019 it won't be accepted by modern Apple devices. we
> fixed the issuance to generate shorter-lived certificates in November
> 2019, this cleans up the existing ones to fix this and similar future
> issues.
> 
> two years / 730 days as cut-off was chosen since it's our new maximum
> self-signed certificate lifetime, and should thus catch all old-style
> certificates.
> 
> another positive side-effect is that we can now phase out support for
> older certificates faster, e.g. if we want to move to bigger keys,
> different signature algorithms, or anything else in that direction.
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> ---
> I'd also be fine with reducing both even more, e.g. to 1 year ;)
> 
>  bin/pveupdate | 15 ++++++++++++---
>  1 file changed, 12 insertions(+), 3 deletions(-)
> 

applied, thanks!





More information about the pve-devel mailing list