New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change method of generating Certificate dates and serial numbers #631
Comments
Will test implementation in v5.6.dev and then retro-fix to v5.5. |
When generating Serial numbers from host names a hash os the rootCA, start_date and end_date is added to the CN to produce a unique serial number. This means that the serial number for a host will change if the rootCA or start/end date is changed. This will force a re-generation of the certificate. The generated cert store should be cleared to remove the now stale certificates previously generated.
Further investigation shows that the browsers only enforce the 1 year limit on server certificates for public CA roots, so this limitation does not apply to e2g MITM as we are using corporate private rootCA. However, we do need a method of re-generating server certs, whenever the rootCA or the begin or end date changes. |
When generating Serial numbers from host names a hash os the rootCA, start_date and end_date is added to the CN to produce a unique serial number. This means that the serial number for a host will change if the rootCA or start/end date is changed. This will force a re-generation of the certificate. The generated cert store should be cleared to remove the now stale certificates previously generated.
When generating Serial numbers from host names a hash of the rootCA,
Implemented in v5.6.dev and v5.5. |
Also note change of default generatedcertstart value to 1711926000 (= 1st April 2024) |
Update certificate generation. Possibly set start_date to 1st January 00:01 of current year and lifetime to +390 days and use the start date as part of the hash to create the serial no. This would automatically make sure that the up-to-date cert is used. See #624. For implementation in v5.5. AfterNote missed for v5.5 - will do in v5.6.dev
The text was updated successfully, but these errors were encountered: