The CA expiration time can be defined from env, default is 100 years.

qkboy · Jan 12, 2024 · 587be47 · 587be47
1 parent 0a2d8df
commit 587be47
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -4,6 +4,9 @@ This `README` is a work in progress; aimed towards providing information for nav
 
 ## Changing the Expiration Days for Newly Signed Certificates
 
+By default, a newly signed CA certificate is set to expire 100 years after its creation time and date.
+You can use the `CATTLE_NEW_SIGNED_CA_EXPIRATION_YEARS` environment variable to change this value.
+
 By default, a newly signed certificate is set to expire 365 days (1 year) after its creation time and date.
 You can use the `CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS` environment variable to change this value.
 

diff --git a/cert/cert.go b/cert/cert.go
@@ -45,6 +45,7 @@ import (
 const (
 	rsaKeySize   = 2048
 	duration365d = time.Hour * 24 * 365
+	duration100y = time.Hour * 24 * 365 * 100
 )
 
 var ErrStaticCert = errors.New("cannot renew static certificate")
@@ -74,14 +75,23 @@ func NewPrivateKey() (*rsa.PrivateKey, error) {
 // NewSelfSignedCACert creates a CA certificate
 func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
 	now := time.Now()
+	expiresAt := duration100y
+	envExpirationYears := os.Getenv("CATTLE_NEW_SIGNED_CA_EXPIRATION_YEARS")
+	if envExpirationYears != "" {
+		if envExpirationYearsInt, err := strconv.Atoi(envExpirationYears); err != nil {
+			logrus.Infof("[NewSelfSignedCACert] expiration years from ENV (%s) could not be converted to int (falling back to default value: %d)", envExpirationYears, duration100y)
+		} else {
+			expiresAt = time.Hour * 24 * 365 * time.Duration(envExpirationYearsInt)
+		}
+	}
 	tmpl := x509.Certificate{
 		SerialNumber: new(big.Int).SetInt64(0),
 		Subject: pkix.Name{
 			CommonName:   cfg.CommonName,
 			Organization: cfg.Organization,
 		},
 		NotBefore:             now.UTC(),
-		NotAfter:              now.Add(duration365d * 10).UTC(),
+		NotAfter:              now.Add(expiresAt).UTC(),
 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
 		BasicConstraintsValid: true,
 		IsCA:                  true,