diff options
author | Stuart Henderson <sthen@cvs.openbsd.org> | 2019-02-26 14:21:31 +0000 |
---|---|---|
committer | Stuart Henderson <sthen@cvs.openbsd.org> | 2019-02-26 14:21:31 +0000 |
commit | a6a6c0baf8380d18184846e4b72d48148614a92e (patch) | |
tree | b3c3e2c8e69baa16a230557accb04e72f311cb4a /usr.sbin | |
parent | ef664d91269f2f53c00ca18c2485b1f39690b93d (diff) |
ikectl's built-in CA command for simple configurations has a fixed certificate
validity for the ca certificate. Raise this from 365 days to 4500 as expiry means
installing new CA certificates on all client machines which can cause significant
pain. This doesn't change the default validity for server certificates which
remains at 1 year (controlled by ikeca.cnf) - refreshing key and certificate
on these can be done easily without visiting all machines. ok deraadt@
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/ikectl/ikeca.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/usr.sbin/ikectl/ikeca.c b/usr.sbin/ikectl/ikeca.c index 5f698e53df7..bac76ab9c2f 100644 --- a/usr.sbin/ikectl/ikeca.c +++ b/usr.sbin/ikectl/ikeca.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikeca.c,v 1.47 2017/11/08 09:33:37 patrick Exp $ */ +/* $OpenBSD: ikeca.c,v 1.48 2019/02/26 14:21:30 sthen Exp $ */ /* * Copyright (c) 2010 Jonathan Gray <jsg@openbsd.org> @@ -429,7 +429,7 @@ ca_create(struct ca *ca) system(cmd); chmod(path, 0600); - snprintf(cmd, sizeof(cmd), "%s x509 -req -days 365" + snprintf(cmd, sizeof(cmd), "%s x509 -req -days 4500" " -in %s/private/ca.csr -signkey %s/private/ca.key" " -sha256" " -extfile %s -extensions x509v3_CA -out %s/ca.crt -passin file:%s", |