Module: check_mk
Branch: master
Commit: 781490f52f356c6504569c2892587fcaddbc1fd8
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=781490f52f356c…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Feb 5 12:20:18 2019 +0100
Increase internal certificate age used for encrypted Livestatus
We decided to set the age of the internally used certificates to
a very long period of 999 years for convenience.
The benefit of a certificate expiration is not really worth the trouble
in our scenario.
In case you have specific security requirements that don't allow such
a long period, you will likely use your own certificates, signed by your
company or some other trusted CA which has a more strict validity period.
CMK-1535
Change-Id: I2838ba706cf98fb4d9fd836d3bb0b5465a74b064
---
omd/packages/omd/omdlib/certs.py | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/omd/packages/omd/omdlib/certs.py b/omd/packages/omd/omdlib/certs.py
index 98ebfd8..e321f2b 100644
--- a/omd/packages/omd/omdlib/certs.py
+++ b/omd/packages/omd/omdlib/certs.py
@@ -31,7 +31,8 @@ from pathlib2 import Path # pylint: disable=unused-import
from OpenSSL import crypto
from OpenSSL.SSL import FILETYPE_PEM # type: ignore
-CERT_NOT_AFTER = 3 * 365 * 24 * 60 * 60 # 3 years by default
+CERT_NOT_AFTER = 999 * 365 * 24 * 60 * 60 # 999 years by default
+CA_CERT_NOT_AFTER = CERT_NOT_AFTER
class CertificateAuthority(object):
@@ -66,7 +67,7 @@ class CertificateAuthority(object):
# type: () -> Tuple[str, str]
key = self._make_private_key()
- cert = self._make_cert(self._ca_name, 10 * 365 * 24 * 60 * 60) # 10 years
+ cert = self._make_cert(self._ca_name, CA_CERT_NOT_AFTER)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(key)
cert.add_extensions([