diff options
-rwxr-xr-x | dmvpn-ca | 22 | ||||
-rw-r--r-- | dmvpn-ca.conf | 3 |
2 files changed, 16 insertions, 9 deletions
@@ -58,6 +58,7 @@ set_config_defaults( db={file='/var/lib/misc/dmvpn-ca.sqlite3'}, cert={ lifetime=365 * 24 * 60 * 60, + renewal=30 * 24 * 60 * 60, ['hash-alg']='SHA256', key={type='EC', curve='secp384r1'} }, @@ -414,7 +415,9 @@ function print_cert(cert) print(x509.new(cert.data, 'PEM'):text{'ext_parse'}) end -function is_valid(cert) return not cert.revoked and now < cert.expires end +function is_valid(cert, margin) + return not cert.revoked and now < cert.expires - (margin or 0) +end function revoke(filter) local revoked = {} @@ -1138,13 +1141,13 @@ output = scan_choice( vname=row[5] } - local function insert() - attrs.params = config[ - attrs.site == '' and - 'hub' or - 'spoke' - ] + attrs.params = config[ + attrs.site == '' and + 'hub' or + 'spoke' + ] + local function insert() attrs.dn = attrs.params.dn:gsub( '%$(%u+)', { @@ -1179,7 +1182,10 @@ output = scan_choice( site=row[1], vpnc=row[2] } do - if is_valid(cert) then + if is_valid( + cert, + attrs.params.renewal + ) then valid = true end end diff --git a/dmvpn-ca.conf b/dmvpn-ca.conf index ed9a08b..15dd39a 100644 --- a/dmvpn-ca.conf +++ b/dmvpn-ca.conf @@ -1,5 +1,6 @@ cert: - lifetime: 600 + lifetime: 900 + renewal: 300 ca: dn: 'DC=com,DC=example' |