This bug was fixed in the package ssl-cert - 1.1.0
---
ssl-cert (1.1.0) unstable; urgency=medium
[ Stefan Fritsch ]
* Remove obsolete openssl-blacklist suggests.
* Add some autopkgtests. LP: #1679405
* Create correct hash symlink. LP: #1324897
* Automatically re-create the
The link at [1] does not talk about self-signed certificates at all,
only about DV and OV certificates. I agree that make-ssl-cert should
have an option for the life time of the generated certificate, but I
don't think that 825 days should be the default for 'generate-default-
snakeoil'. If you
** Merge proposal linked:
https://code.launchpad.net/~bryce/ubuntu/+source/ssl-cert/+git/ssl-cert/+merge/393784
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1853021
Title:
ssl-cert
** Description changed:
- The CA/Browser Forum now has a standard with maximum expiration of 825
- days.
+ [Impact]
+ The CA/Browser Forum now has a standard with maximum expiration of 825 days.
`ssl-cert generate-default-snakeoil` hardcodes this to 10 years (3650 days),
but provides no
** Tags added: patch
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1853021
Title:
ssl-cert generate-default-snakeoil provides no way to override default
10 year expiration or reduce to 825 day
** Changed in: ssl-cert (Ubuntu)
Status: New => Triaged
** Changed in: ssl-cert (Ubuntu)
Importance: Undecided => Wishlist
** Tags added: bitesize
** Tags added: server-next
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
If I understand correctly, the needed fix here is to modify /usr/sbin
/make-ssl-cert to add a --expiration-days=N option that passes the value
to the -days arg in the last invocation of `openssl req`, maybe similar
to what I've sketched in the attached (completely untested) patch?
** Patch added:
** Description changed:
The CA/Browser Forum now has a standard with maximum expiration of 825
days.
References:
https://cabforum.org/2017/03/17/ballot-193-825-day-certificate-lifetimes/
https://www.sslshopper.com/cab-forum-reduces-max-cert-validity-to-825-days.html
** Summary changed:
- ssl-cert generate-default-snakeoil provides no way to override default 10
year expiration
+ ssl-cert generate-default-snakeoil provides no way to override default 10
year expiration or reduce to 825 day expiration
--
You received this bug notification because you are a