[ovs-dev] [PATCH] ovs-pki: Extend validity of generated CA certificates from 3 to 6 years.

Jesse Gross jesse at nicira.com
Wed Sep 16 21:53:43 UTC 2009


Ah, I forgot about those things.  Of course, I think that we are due for 
some leap seconds soon as well...

reid at nicira.com wrote:
> In the foreseeable future (<2100), there should be at least one leap year
> in any given six year period, we'd hate to surprise the user a day early =)
>  Perhaps we should add two extra days.
>   -Reid
>
> On Wed, 16 Sep 2009 14:33:55 -0700, Jesse Gross <jesse at nicira.com> wrote:
>   
>> 6 years and a day?  Is that extra day supposed to be there?  I'm not
>> sure it makes that much of a difference...
>>
>> Otherwise looks fine.
>>
>> Ben Pfaff wrote:
>>     
>>> Dan requested this change to make it less likely that a user encounter a
>>> CA certificate expiring.
>>>
>>> For the "citrix" branch instead of "master" in case a customer upgrades
>>> (without generating new CA certificates) away from the beta.
>>>
>>> CC: Dan Wendlandt <dan at nicira.com>
>>> ---
>>>  utilities/ovs-pki.in |    2 +-
>>>  1 files changed, 1 insertions(+), 1 deletions(-)
>>>
>>> diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
>>> index 22b5f2a..39d5782 100755
>>> --- a/utilities/ovs-pki.in
>>> +++ b/utilities/ovs-pki.in
>>> @@ -271,7 +271,7 @@ EOF
>>>              -newkey $newkey -keyout private/cakey.pem -out careq.pem \
>>>              1>&3 2>&3
>>>          openssl ca -config ca.cnf -create_serial -out cacert.pem \
>>> -            -days 1095 -batch -keyfile private/cakey.pem -selfsign \
>>> +            -days 2191 -batch -keyfile private/cakey.pem -selfsign \
>>>              -infiles careq.pem 1>&3 2>&3
>>>          chmod 0700 private/cakey.pem
>>>
>>>
>>>       
>> _______________________________________________
>> dev mailing list
>> dev at openvswitch.org
>> http://openvswitch.org/mailman/listinfo/dev_openvswitch.org
>>     
>
>   




More information about the dev mailing list