Comments (5)
This could be solved easily...
What might be the best way to handle this? Raise a warning and fail, set the expires date to the same as the parent, or raise a warning only if the user has specified an expiry (set to parent expiry if not explicitly set)?
from django-ca.
Hi,
Sorry I didn't attend to this issue for a while. I was held up in other projects. In any case, I didn't give it much importance since initial research into the TLS specs showed that this is not actually an error.
After no longer being held up by other projects and some more research, I'm sure it actually is an error. I'm in the process of implementing this now. I've settled for this behavior:
- For creating child CAs, the maximum expiry is silently set to that of its parent. The reason is that any default of X days is automatically after that of the parent a day after issuing the parent.
- For child certificates, I throw an error if the default or whatever the user specifies is after the CAs expiry.
This means that with a default of a year and a CA expiring in 10 years, you'll be able to silently issue certs for nine years, in the tenth year you'll get errors with the default expiry. This seems reasonable because an expiring CA is something you really should take care of. In the meant time, you can issue shorter-lived certs if you explicitly want.
from django-ca.
PS: If there's strong objection to that behavior please let me know. I'll definitely consider it.
from django-ca.
That seems the most sensible approach 👍
from django-ca.
I've just tagged version 1.4.0 which implements this behavior (and has a few new features). Please just open a new issue if you find any problems!
from django-ca.
Related Issues (20)
- REST api HOT 8
- ACME error HOT 5
- Configure OCSP response validity when using docker compose HOT 4
- Acme Disable new accounts HOT 4
- Parsing issues running init_ca HOT 2
- OCSP request for unknown cert received HOT 7
- Ability to sign certificate via configurable hook / external HSM HOT 15
- Smartcard Extension 1.3.6.1.4.1.311.25.2 support HOT 1
- The client sent an unacceptable anti-replay nonce :: Bad or invalid nonce HOT 7
- Save private key and ocsp in database HOT 5
- ecc_curve in 'init_ca' command HOT 5
- acme clients not working, bad nonce HOT 7
- multiple SAN attributes not working HOT 3
- CA_PROFILES expiration time is ignored HOT 2
- CRL Issuing Distribution Point (IDP) should be configurable in CertificateRevocationListView HOT 7
- TypeError: cannot pickle 'builtins.ObjectIdentifier' object HOT 3
- Config is not read HOT 2
- Generate CT Certificate Transparency logs HOT 2
- CA_DEFAULT_SUBJECT HOT 2
- Profiles - default, custom and command line HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-ca.