summaryrefslogtreecommitdiff
path: root/modules/caddypki/ca.go
diff options
context:
space:
mode:
authorKyle McCullough <kylemcc@gmail.com>2022-12-05 23:12:26 -0800
committerGitHub <noreply@github.com>2022-12-06 00:12:26 -0700
commitbfaf2a8201b83d7369772cb6f2439abe66d9342a (patch)
tree6be62eee5163d018dcf2214c77195abeda280ea9 /modules/caddypki/ca.go
parentfef9cb3e05ea071cdfd9ed1a6be5c8dcabf6603e (diff)
acme_server: Configurable default lifetime for issued certificates (#5232)
* acme_server: add certificate lifetime configuration option Signed-off-by: Kyle McCullough <kylemcc@gmail.com> * pki: allow intermediate cert lifetime to be configured Signed-off-by: Kyle McCullough <kylemcc@gmail.com> Signed-off-by: Kyle McCullough <kylemcc@gmail.com>
Diffstat (limited to 'modules/caddypki/ca.go')
-rw-r--r--modules/caddypki/ca.go10
1 files changed, 9 insertions, 1 deletions
diff --git a/modules/caddypki/ca.go b/modules/caddypki/ca.go
index 914eddf..1ba0890 100644
--- a/modules/caddypki/ca.go
+++ b/modules/caddypki/ca.go
@@ -48,6 +48,9 @@ type CA struct {
// intermediate certificates.
IntermediateCommonName string `json:"intermediate_common_name,omitempty"`
+ // The lifetime for the intermediate certificates
+ IntermediateLifetime caddy.Duration `json:"intermediate_lifetime,omitempty"`
+
// Whether Caddy will attempt to install the CA's root
// into the system trust store, as well as into Java
// and Mozilla Firefox trust stores. Default: true.
@@ -118,6 +121,11 @@ func (ca *CA) Provision(ctx caddy.Context, id string, log *zap.Logger) error {
if ca.IntermediateCommonName == "" {
ca.IntermediateCommonName = defaultIntermediateCommonName
}
+ if ca.IntermediateLifetime == 0 {
+ ca.IntermediateLifetime = caddy.Duration(defaultIntermediateLifetime)
+ } else if time.Duration(ca.IntermediateLifetime) >= defaultRootLifetime {
+ return fmt.Errorf("intermediate certificate lifetime must be less than root certificate lifetime (%s)", defaultRootLifetime)
+ }
// load the certs and key that will be used for signing
var rootCert, interCert *x509.Certificate
@@ -341,7 +349,7 @@ func (ca CA) loadOrGenIntermediate(rootCert *x509.Certificate, rootKey crypto.Si
func (ca CA) genIntermediate(rootCert *x509.Certificate, rootKey crypto.Signer) (interCert *x509.Certificate, interKey crypto.Signer, err error) {
repl := ca.newReplacer()
- interCert, interKey, err = generateIntermediate(repl.ReplaceAll(ca.IntermediateCommonName, ""), rootCert, rootKey)
+ interCert, interKey, err = generateIntermediate(repl.ReplaceAll(ca.IntermediateCommonName, ""), rootCert, rootKey, time.Duration(ca.IntermediateLifetime))
if err != nil {
return nil, nil, fmt.Errorf("generating CA intermediate: %v", err)
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-03 18:46:12 +0000