diff options
author | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2018-09-01 23:24:29 +0300 |
---|---|---|
committer | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2018-09-01 23:39:55 +0300 |
commit | da410f2d0e3a67f1960e08e04142856cb84d5ba0 (patch) | |
tree | 30ac00f868b871444f3ba9e63d12266793e7ae3b | |
parent | ed5d2f170cfcfd565682028a9f44caa6ba1217ef (diff) | |
download | dmvpn-tools-da410f2d0e3a67f1960e08e04142856cb84d5ba0.tar.bz2 dmvpn-tools-da410f2d0e3a67f1960e08e04142856cb84d5ba0.tar.xz |
dmvpn-ca: certificate renewal before expiry
-rwxr-xr-x | dmvpn-ca | 22 | ||||
-rw-r--r-- | dmvpn-ca.conf | 3 |
2 files changed, 16 insertions, 9 deletions
@@ -58,6 +58,7 @@ set_config_defaults( db={file='/var/lib/misc/dmvpn-ca.sqlite3'}, cert={ lifetime=365 * 24 * 60 * 60, + renewal=30 * 24 * 60 * 60, ['hash-alg']='SHA256', key={type='EC', curve='secp384r1'} }, @@ -414,7 +415,9 @@ function print_cert(cert) print(x509.new(cert.data, 'PEM'):text{'ext_parse'}) end -function is_valid(cert) return not cert.revoked and now < cert.expires end +function is_valid(cert, margin) + return not cert.revoked and now < cert.expires - (margin or 0) +end function revoke(filter) local revoked = {} @@ -1138,13 +1141,13 @@ output = scan_choice( vname=row[5] } - local function insert() - attrs.params = config[ - attrs.site == '' and - 'hub' or - 'spoke' - ] + attrs.params = config[ + attrs.site == '' and + 'hub' or + 'spoke' + ] + local function insert() attrs.dn = attrs.params.dn:gsub( '%$(%u+)', { @@ -1179,7 +1182,10 @@ output = scan_choice( site=row[1], vpnc=row[2] } do - if is_valid(cert) then + if is_valid( + cert, + attrs.params.renewal + ) then valid = true end end diff --git a/dmvpn-ca.conf b/dmvpn-ca.conf index ed9a08b..15dd39a 100644 --- a/dmvpn-ca.conf +++ b/dmvpn-ca.conf @@ -1,5 +1,6 @@ cert: - lifetime: 600 + lifetime: 900 + renewal: 300 ca: dn: 'DC=com,DC=example' |