[ovs-dev] [PATCH] ovs-pki: Extend validity of generated CA certificates from 3 to 6 years.
reid at nicira.com
reid at nicira.com
Wed Sep 16 21:45:26 UTC 2009
In the foreseeable future (<2100), there should be at least one leap year
in any given six year period, we'd hate to surprise the user a day early =)
Perhaps we should add two extra days.
-Reid
On Wed, 16 Sep 2009 14:33:55 -0700, Jesse Gross <jesse at nicira.com> wrote:
> 6 years and a day? Is that extra day supposed to be there? I'm not
> sure it makes that much of a difference...
>
> Otherwise looks fine.
>
> Ben Pfaff wrote:
>> Dan requested this change to make it less likely that a user encounter a
>> CA certificate expiring.
>>
>> For the "citrix" branch instead of "master" in case a customer upgrades
>> (without generating new CA certificates) away from the beta.
>>
>> CC: Dan Wendlandt <dan at nicira.com>
>> ---
>> utilities/ovs-pki.in | 2 +-
>> 1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
>> index 22b5f2a..39d5782 100755
>> --- a/utilities/ovs-pki.in
>> +++ b/utilities/ovs-pki.in
>> @@ -271,7 +271,7 @@ EOF
>> -newkey $newkey -keyout private/cakey.pem -out careq.pem \
>> 1>&3 2>&3
>> openssl ca -config ca.cnf -create_serial -out cacert.pem \
>> - -days 1095 -batch -keyfile private/cakey.pem -selfsign \
>> + -days 2191 -batch -keyfile private/cakey.pem -selfsign \
>> -infiles careq.pem 1>&3 2>&3
>> chmod 0700 private/cakey.pem
>>
>>
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev_openvswitch.org
More information about the dev
mailing list