git » kxd » commit 8534ea1

scripts: Make generated certificates expiry in 10 years

author Alberto Bertogli
2014-07-12 19:46:42 UTC
committer Alberto Bertogli
2014-07-12 19:46:42 UTC
parent d48434ec40a6fc4c6c885f042af38e49694906ae
scripts: Make generated certificates expiry in 10 years

The convenience scripts that generate certificates do not specify how long
they will be valid for, and openssl defaults to 30 days which is quite short.

This patch changes the scripts so the certificates last 10 years, which is
more useful.

Signed-off-by: Alberto Bertogli <albertito@blitiri.com.ar>
doc/quick_start.rst +4 -3
scripts/create-kxd-config +1 -1
scripts/kxc-add-key +1 -1 
diff --git a/doc/quick_start.rst b/doc/quick_start.rst
index 648e146..4127719 100644
--- a/doc/quick_start.rst
+++ b/doc/quick_start.rst
@@ -23,7 +23,8 @@ First of all, install kxd_ on the server, usually via your distribution
 packages, or directly from source.
 
 Then, run ``create-kxd-config``, which will create the configuration
-directories, and generate a self-signed_ key/cert pair for the server.
+directories, and generate a self-signed_ key/cert pair for the server (valid
+for 10 years).
 Everything is in ``/etc/kxd/``.
 
 
@@ -35,8 +36,8 @@ directly from source.
 
 
 Then, run ``kxc-add-key server sda2``, which will create the configuration
-directories, and generate the client key/cert pair, and also create an entry
-for an ``client/sda2`` key to be fetched from the server.
+directories, generate the client key/cert pair (valid for 10 years), and also
+create an entry for an ``client/sda2`` key to be fetched from the server.
 Everything is in ``/etc/kxc/``.
 
 Finally, copy the server public certificate over, using
diff --git a/scripts/create-kxd-config b/scripts/create-kxd-config
index d73ee0a..3f1c6f0 100755
--- a/scripts/create-kxd-config
+++ b/scripts/create-kxd-config
@@ -28,7 +28,7 @@ fi
 # And a self-signed certificate.
 if ! [ -e /etc/kxd/cert.pem ]; then
 	echo "Generating certificate (/etc/kxd/cert.pem)"
-	openssl req -new -x509 -batch \
+	openssl req -new -x509 -batch -days 3650 \
 		-subj "/commonName=*/organizationalUnitName=kxd@$HOSTNAME/" \
 		-key /etc/kxd/key.pem -out /etc/kxd/cert.pem
 else
diff --git a/scripts/kxc-add-key b/scripts/kxc-add-key
index 1606e1c..0e62e43 100755
--- a/scripts/kxc-add-key
+++ b/scripts/kxc-add-key
@@ -39,7 +39,7 @@ fi
 # And a self-signed certificate.
 if ! [ -e /etc/kxc/cert.pem ]; then
 	echo "Generating certificate (/etc/kxc/cert.pem)"
-	openssl req -new -x509 -batch \
+	openssl req -new -x509 -batch -days 3650 \
 		-subj "/commonName=*/organizationalUnitName=kxc@$HOSTNAME/" \
 		-key /etc/kxc/key.pem -out /etc/kxc/cert.pem
 else