On April 23, 2020 9:42 pm, Thomas Lamprecht wrote: > On 4/23/20 1:59 PM, Fabian Grünbichler wrote: >> On April 23, 2020 1:07 pm, Dominik Csapak wrote: >>> LGTM >>> >>> maybe we should shorten the lifespan to 1 year already? >>> according to [0], safari on macos will reject certs >>> that are longer valid than 398 days, when issued on/after >>> 2020-09-01 >>> >>> 0: https://support.apple.com/en-us/HT211025 >>> >> >> forgot to include this tidbit: that change was actually the reason for >> looking at it, but it only affects certificates issued by CAs shipped in >> the Apple Trust Stores, not those issued by CAs manually trusted by a >> user. so our self-signed CA and its certificates are not affected (for >> now). > > This all makes me thinking... Wouldn't we need to have the PMG also adapt > to this? Checked a very recently from (new test) ISO installed test VM gets > me a 10 year certificate lifespan.. I mean, there more may use a "trusted" > one, but still..
Apple's 825 days limit affects self-signed as well AFAIU. so yes, we should probably port the renewal + shorten lifetime changes to PMG as well. _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
