ssl-cert generate-default-snakeoil provides no way to override default 10 year expiration or reduce to 825 day expiration
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ssl-cert (Ubuntu) |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
[Impact]
The CA/Browser Forum now has a standard with maximum expiration of 825 days. `ssl-cert generate-
[Test Case]
$ openssl x509 -enddate -noout -in /etc/ssl/
notAfter=Dec 15 04:21:19 2029 GMT
$ sudo rm /etc/ssl/
$ make-ssl-cert --expiration-
notAfter=Nov 24 04:21:43 2020 GMT
[Where Problems Could Occur]
The fix for this bug includes a new implementation of option handling, so the most likely place to watch for issues would be options that no longer work or behave differently. However, the script previously supported only a small number of ways to be executed so is simple to just test all the combinations.
The purpose of the script itself is to create certificates, so another obvious thing to watch would be invalidly generated certificates.
[Original Report]
The CA/Browser Forum now has a standard with maximum expiration of 825 days.
References:
https:/
https:/
https:/
Related previous issue when changed from 30-days to 10-years:
"ssl-cert generate-
https:/
"""
The openssl req command requires a -days argument to override the default number of days (30) for validity of self-signed certifiicates. 30 days seems an unreasonably low default. I have found no way to change this without fiddling with /usr/sbin/
"""
Related branches
- Christian Ehrhardt (community): Approve
- Paride Legovini (community): Needs Information
- Canonical Server: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 161 lines (+71/-21)3 files modifieddebian/changelog (+10/-0)
debian/control (+4/-3)
make-ssl-cert (+57/-18)
summary: |
ssl-cert generate-default-snakeoil provides no way to override default - 10 year expiration + 10 year expiration or reduce to 825 day expiration |
description: | updated |
Changed in ssl-cert (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Wishlist |
tags: | added: bitesize |
tags: | added: server-next |
tags: | added: patch |
description: | updated |
If I understand correctly, the needed fix here is to modify /usr/sbin/ make-ssl- cert to add a --expiration-days=N option that passes the value to the -days arg in the last invocation of `openssl req`, maybe similar to what I've sketched in the attached (completely untested) patch?