From f7b87dfc43c7d2ad385b644b230b2a1f4e78b27e Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Mon, 16 Dec 2019 18:56:06 +0100 Subject: [PATCH] system: 825 days is the current maximum so use it Learned this the hard way on macOS Catalina behaviour. Since this is a new policy enforced since 2019 it's safe to increase the defaults (which were 10 years before) as well. Likely makes a few users happy that had VPN certificates run out over the years. --- src/etc/inc/plugins.inc.d/webgui.inc | 2 +- src/etc/ssl/opnsense.cnf | 2 +- src/wizard/openvpn.xml | 8 ++++---- src/www/system_camanager.php | 2 +- src/www/system_certmanager.php | 4 ++-- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/etc/inc/plugins.inc.d/webgui.inc b/src/etc/inc/plugins.inc.d/webgui.inc index 8acbbd7c2..2d5dc260f 100644 --- a/src/etc/inc/plugins.inc.d/webgui.inc +++ b/src/etc/inc/plugins.inc.d/webgui.inc @@ -100,7 +100,7 @@ function webgui_configure_do($verbose = false, $interface = '') /* XXX ought to be replaced by PHP calls */ '/usr/local/bin/openssl req -new -extensions server_cert ' . '-config /usr/local/etc/ssl/opnsense.cnf ' . - '-newkey rsa:4096 -sha256 -days 365 -nodes -x509 ' . + '-newkey rsa:4096 -sha256 -nodes -x509 ' . '-subj "/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense" ' . '-keyout /tmp/ssl.key -out /tmp/ssl.crt' ); diff --git a/src/etc/ssl/opnsense.cnf b/src/etc/ssl/opnsense.cnf index 8a15076aa..1857ba322 100644 --- a/src/etc/ssl/opnsense.cnf +++ b/src/etc/ssl/opnsense.cnf @@ -71,7 +71,7 @@ cert_opt = ca_default # Certificate field options # crlnumber must also be commented out to leave a V1 CRL. crl_extensions = crl_ext -default_days = 365 # how long to certify for +default_days = 825 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = default # use public key default MD preserve = no # keep passed DN ordering diff --git a/src/wizard/openvpn.xml b/src/wizard/openvpn.xml index b7e319ab0..384099353 100644 --- a/src/wizard/openvpn.xml +++ b/src/wizard/openvpn.xml @@ -384,8 +384,8 @@ Lifetime input 10 - 365 - Lifetime in days. This is commonly set to 365 (Approximately 1 year.) + 825 + Lifetime in days. This is commonly set to 825 (approximately 2 years). wizardtemp->step6->lifetime @@ -511,10 +511,10 @@ lifetime Lifetime - Lifetime in days. This is commonly set to 365 (Approximately 1 year.) + Lifetime in days. This is commonly set to 825 (approximately 2 years). input 10 - 365 + 825 wizardtemp->step9->lifetime diff --git a/src/www/system_camanager.php b/src/www/system_camanager.php index 364dcadc2..8fc90a3bb 100644 --- a/src/www/system_camanager.php +++ b/src/www/system_camanager.php @@ -185,7 +185,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { $pconfig['keytype'] = "RSA"; $pconfig['keylen'] = "2048"; $pconfig['digest_alg'] = "sha256"; - $pconfig['lifetime'] = "365"; + $pconfig['lifetime'] = "825"; $pconfig['dn_commonname'] = "internal-ca"; } elseif ($act == "exp") { if (!isset($id)) { diff --git a/src/www/system_certmanager.php b/src/www/system_certmanager.php index aaec3373c..67946f58c 100644 --- a/src/www/system_certmanager.php +++ b/src/www/system_certmanager.php @@ -280,8 +280,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { $pconfig['csr_keytype'] = "RSA"; $pconfig['csr_keylen'] = "2048"; $pconfig['csr_digest_alg'] = "sha256"; - $pconfig['lifetime'] = "365"; - $pconfig['lifetime_sign_csr'] = "365"; + $pconfig['lifetime'] = "825"; + $pconfig['lifetime_sign_csr'] = "825"; $pconfig['cert_type'] = "usr_cert"; $pconfig['cert'] = null; $pconfig['key'] = null;