summaryrefslogtreecommitdiff
path: root/usr.sbin
diff options
context:
space:
mode:
authorStuart Henderson <sthen@cvs.openbsd.org>2019-02-26 14:21:31 +0000
committerStuart Henderson <sthen@cvs.openbsd.org>2019-02-26 14:21:31 +0000
commita6a6c0baf8380d18184846e4b72d48148614a92e (patch)
treeb3c3e2c8e69baa16a230557accb04e72f311cb4a /usr.sbin
parentef664d91269f2f53c00ca18c2485b1f39690b93d (diff)
ikectl's built-in CA command for simple configurations has a fixed certificate
validity for the ca certificate. Raise this from 365 days to 4500 as expiry means installing new CA certificates on all client machines which can cause significant pain. This doesn't change the default validity for server certificates which remains at 1 year (controlled by ikeca.cnf) - refreshing key and certificate on these can be done easily without visiting all machines. ok deraadt@
Diffstat (limited to 'usr.sbin')
-rw-r--r--usr.sbin/ikectl/ikeca.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/usr.sbin/ikectl/ikeca.c b/usr.sbin/ikectl/ikeca.c
index 5f698e53df7..bac76ab9c2f 100644
--- a/usr.sbin/ikectl/ikeca.c
+++ b/usr.sbin/ikectl/ikeca.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ikeca.c,v 1.47 2017/11/08 09:33:37 patrick Exp $ */
+/* $OpenBSD: ikeca.c,v 1.48 2019/02/26 14:21:30 sthen Exp $ */
/*
* Copyright (c) 2010 Jonathan Gray <jsg@openbsd.org>
@@ -429,7 +429,7 @@ ca_create(struct ca *ca)
system(cmd);
chmod(path, 0600);
- snprintf(cmd, sizeof(cmd), "%s x509 -req -days 365"
+ snprintf(cmd, sizeof(cmd), "%s x509 -req -days 4500"
" -in %s/private/ca.csr -signkey %s/private/ca.key"
" -sha256"
" -extfile %s -extensions x509v3_CA -out %s/ca.crt -passin file:%s",