smallstep
Extend maximum token lifetime past 1 hour
What would you like to be added
The longest allowed lifetime for a token created with step ca token ... is 1 hour. This value should be customizable to the maximum value allowed by the provisioner. It is currently hard-coded:
cli/token/token.go
----
// MaxValidity token validity token duration.
MaxValidity = 1 * time.Hour
Why this is needed
Some use-cases require a much longer-lived token. For example, IoT devices using the OTT flow to issue certificates would probably need a token living for multiple months/years depending on how long they sit on the shelf.
The currently supported and endorsed workaround is to issue an x509 "birth" certificate to the device (or application) and then use that credential to either generate new credentials (via x5c provisioning).
Whether or not we allow longer lived tokens (and what those lifetimes should be) is probably a product question. The reason that we didn't allow them to start with is that we wanted a credential with very limited scope.
I think we'll want a better understanding of use cases: for example suppose my provisioner has a max x509 lifetime of 24 hrs but the token won't be used for weeks/months/years. Do we actually want a credential that doesn't expire? Or something that acts like one (vs. an arbitrary lifetime).
