diff options
author | Kyle McCullough <kylemcc@gmail.com> | 2022-12-05 23:12:26 -0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-12-06 00:12:26 -0700 |
commit | bfaf2a8201b83d7369772cb6f2439abe66d9342a (patch) | |
tree | 6be62eee5163d018dcf2214c77195abeda280ea9 /modules/caddypki/ca.go | |
parent | fef9cb3e05ea071cdfd9ed1a6be5c8dcabf6603e (diff) |
acme_server: Configurable default lifetime for issued certificates (#5232)
* acme_server: add certificate lifetime configuration option
Signed-off-by: Kyle McCullough <kylemcc@gmail.com>
* pki: allow intermediate cert lifetime to be configured
Signed-off-by: Kyle McCullough <kylemcc@gmail.com>
Signed-off-by: Kyle McCullough <kylemcc@gmail.com>
Diffstat (limited to 'modules/caddypki/ca.go')
-rw-r--r-- | modules/caddypki/ca.go | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/modules/caddypki/ca.go b/modules/caddypki/ca.go index 914eddf..1ba0890 100644 --- a/modules/caddypki/ca.go +++ b/modules/caddypki/ca.go @@ -48,6 +48,9 @@ type CA struct { // intermediate certificates. IntermediateCommonName string `json:"intermediate_common_name,omitempty"` + // The lifetime for the intermediate certificates + IntermediateLifetime caddy.Duration `json:"intermediate_lifetime,omitempty"` + // Whether Caddy will attempt to install the CA's root // into the system trust store, as well as into Java // and Mozilla Firefox trust stores. Default: true. @@ -118,6 +121,11 @@ func (ca *CA) Provision(ctx caddy.Context, id string, log *zap.Logger) error { if ca.IntermediateCommonName == "" { ca.IntermediateCommonName = defaultIntermediateCommonName } + if ca.IntermediateLifetime == 0 { + ca.IntermediateLifetime = caddy.Duration(defaultIntermediateLifetime) + } else if time.Duration(ca.IntermediateLifetime) >= defaultRootLifetime { + return fmt.Errorf("intermediate certificate lifetime must be less than root certificate lifetime (%s)", defaultRootLifetime) + } // load the certs and key that will be used for signing var rootCert, interCert *x509.Certificate @@ -341,7 +349,7 @@ func (ca CA) loadOrGenIntermediate(rootCert *x509.Certificate, rootKey crypto.Si func (ca CA) genIntermediate(rootCert *x509.Certificate, rootKey crypto.Signer) (interCert *x509.Certificate, interKey crypto.Signer, err error) { repl := ca.newReplacer() - interCert, interKey, err = generateIntermediate(repl.ReplaceAll(ca.IntermediateCommonName, ""), rootCert, rootKey) + interCert, interKey, err = generateIntermediate(repl.ReplaceAll(ca.IntermediateCommonName, ""), rootCert, rootKey, time.Duration(ca.IntermediateLifetime)) if err != nil { return nil, nil, fmt.Errorf("generating CA intermediate: %v", err) } |