make min duration configurable for ca and endpoint certificates

author: Erich Eckner <git@eckner.net> 2019-08-29 14:23:22 +0200
committer: Erich Eckner <git@eckner.net> 2019-08-29 14:23:22 +0200
commit: 097d3fe90f0e242ecebd1a9bf9b06d6397bf3789 (patch)
tree: a6731323989f57bdda9e02e6a00845e847f4043d
parent: 623830c910a7fe0635fcde4d2a77dd8519d658c6 (diff)
download: simple-pki-097d3fe90f0e242ecebd1a9bf9b06d6397bf3789.tar.xz
4 files changed, 10 insertions, 4 deletions
diff --git a/ca.conf b/ca.conf
index 52b05a9..2f85b40 100644
--- a/ca.conf
+++ b/ca.conf
@@ -4,6 +4,9 @@
 ca_name='eckner-ca'
 ca_subject_prefix='/C=DE/ST=Thuringia/L=Jena/O=Eckner/OU=Net'
 
+# generate new ca key/cert afther this many days
+ca_min_duration=60
+
 # which system user owns the ca
 ca_user='erich'
 
diff --git a/cb.conf b/cb.conf
index 377067c..47ae16a 100644
--- a/cb.conf
+++ b/cb.conf
@@ -9,6 +9,9 @@ ignore_hosts=('localhost')
 # where should the certificates be requested?
 ca_host='user@ca.example.com'
 
+# request new key/cert afther this many days
+key_min_duration=15
+
 # which user owns the certificates (not root)
 certificate_user='http'
 
diff --git a/rotate-keys.in b/rotate-keys.in
index 0ba3480..724ea24 100644
--- a/rotate-keys.in
+++ b/rotate-keys.in
@@ -46,9 +46,9 @@ if [ "$(whoami)" != "${certificate_user}" ]; then
     for host_key_file in ${host_key_files}; do
       if [ -f "${key_dir}/${host_key_file}.key.new" ] \
       && [ -f "${key_dir}/${host_key_file}.crt.new" ]; then
-        if [ "$(stat -c%Y "${key_dir}/${host_key_file}.key.new")" -ge "$(($(date +%s)-60*60*24*30))" ] \
+        if [ "$(stat -c%Y "${key_dir}/${host_key_file}.key.new")" -ge "$(($(date +%s)-60*60*24*key_min_duration))" ] \
         && [ -f "${key_dir}/${host_key_file}.key" ] \
-        && [ "$(stat -c%Y "${key_dir}/${host_key_file}.crt.new")" -ge "$(($(date +%s)-60*60*24*30))" ] \
+        && [ "$(stat -c%Y "${key_dir}/${host_key_file}.crt.new")" -ge "$(($(date +%s)-60*60*24*key_min_duration))" ] \
         && [ -f "${key_dir}/${host_key_file}.crt" ]; then
           continue
         fi
diff --git a/sign-ca.in b/sign-ca.in
index 9752464..8d2f4b2 100755
--- a/sign-ca.in
+++ b/sign-ca.in
@@ -17,9 +17,9 @@ fi
 
 if [ -f "${key_dir}/${ca_name}.key.new" ] \
 && [ -f "${key_dir}/${ca_name}.crt.new" ]; then
-  if [ "$(stat -c%Y "${key_dir}/${ca_name}.key.new")" -lt "$(($(date +%s)-60*60*24*30))" ] \
+  if [ "$(stat -c%Y "${key_dir}/${ca_name}.key.new")" -lt "$(($(date +%s)-60*60*24*ca_min_duration))" ] \
   || [ ! -f "${key_dir}/${ca_name}.key" ] \
-  || [ "$(stat -c%Y "${key_dir}/${ca_name}.crt.new")" -lt "$(($(date +%s)-60*60*24*30))" ] \
+  || [ "$(stat -c%Y "${key_dir}/${ca_name}.crt.new")" -lt "$(($(date +%s)-60*60*24*ca_min_duration))" ] \
   || [ ! -f "${key_dir}/${ca_name}.crt" ]; then
     mv "${key_dir}/${ca_name}.key"{.new,}
     mv "${key_dir}/${ca_name}.crt"{.new,}
author	Erich Eckner <git@eckner.net>	2019-08-29 14:23:22 +0200
committer	Erich Eckner <git@eckner.net>	2019-08-29 14:23:22 +0200
commit	097d3fe90f0e242ecebd1a9bf9b06d6397bf3789 (patch)
tree	a6731323989f57bdda9e02e6a00845e847f4043d
parent	623830c910a7fe0635fcde4d2a77dd8519d658c6 (diff)
download	simple-pki-097d3fe90f0e242ecebd1a9bf9b06d6397bf3789.tar.xz