certificates icon indicating copy to clipboard operation
certificates copied to clipboard

Published 20 hours ago verified publisher icon smallstep

Configurable certificate lifetime for the CA server

Open marcohald opened this issue 3 years ago • 6 comments

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

It would be useful to have a config option for the Certificate duration for the ACME Provisioner as discussed here https://github.com/smallstep/certificates/discussions/1049

Why is this needed?

We monitor the validity period of our SSL Certificates and like to have a duration of 30 Days and renew them after 15 Days.
So that we have enough time to troubleshoot any issues with renewing the certificates.

marcohald avatar Oct 06 '22 10:10 marcohald

@marcohald: I've updated the title to better reflect what you're looking for, based on the existing discussion. If I'm correct, you're looking for an option to set the certificate lifetime for the CA HTTPS API, which includes the ACME directory endpoints. At this time the CA will transparently renew the certificate that it uses to serve all endpoints every day. You would like to have an option to make the certificate lifetime to be 30 days and to renew them at half their lifetime.

hslatman avatar Oct 10 '22 12:10 hslatman

@hslatman yes you are correct. I think it would be better if the lifetime and the renew time could be specified in hours, for the most users that need it customized

marcohald avatar Oct 11 '22 15:10 marcohald

I don't understand the need for this, the CA will automatically renew its own certificate, and if it's unable to do it, it won't be able to issue new certificates to anyone. And it's always possible to monitor that the CA always has a valid certificate just doing a request to it.

maraino avatar Oct 20 '22 19:10 maraino

After https://github.com/smallstep/certificates/pull/1685 was merged, this functionality is now a step closer. At the moment it would still require custom code to provide *tls.Config, but it might happen that we provide a way to configure that in a more convenient way sometime.

hslatman avatar Feb 20 '24 12:02 hslatman

We have a default 90d lifetime on the Provisioner, but the RA is still generating a 1d certificate. Autorenewals are working; however, we have also configured Slack integration to notify us of expired certificates, and -- apparently because of the short lifetime -- we're getting daily slack notifications from Smallstep that the RA certificate has expired, even though it autorenews. Being able to configure the RA to use a 90d certificate would allow renewal to happen comfortably outside the notification window so that we would not be receiving these daily spurious notifications.

sshipway avatar Mar 06 '24 18:03 sshipway

@sshipway with this PR https://github.com/smallstep/certificates/pull/1764, I'm letting the CA decide which lifetime the RA should have.

maraino avatar Mar 12 '24 21:03 maraino