+eval {
+# get CA and check issuer
+my $capath = "/etc/pve/pve-root-ca.pem";
+my $cainfo = PVE::Certificate::get_certificate_info($capath);
+if ($cainfo->{subject} !~ m|/CN=Proxmox Virtual Environment/.*/O=PVE
Cluster Manager CA|) {
+ die "Root CA is not issued by Proxmox
On November 21, 2019 1:19 pm, Thomas Lamprecht wrote:
> On 10/28/19 11:39 AM, Dominik Csapak wrote:
>> but only if the ca is ours, and the cert is issued by our ca
>> (by checking the issuer and openssl verify)
>>
>> this way we can reduce the lifetime of the certs without having
>> to worry that
On 10/28/19 11:39 AM, Dominik Csapak wrote:
> but only if the ca is ours, and the cert is issued by our ca
> (by checking the issuer and openssl verify)
>
> this way we can reduce the lifetime of the certs without having
> to worry that they ran out
>
> Signed-off-by: Dominik Csapak
> ---
> PVE
but only if the ca is ours, and the cert is issued by our ca
(by checking the issuer and openssl verify)
this way we can reduce the lifetime of the certs without having
to worry that they ran out
Signed-off-by: Dominik Csapak
---
PVE/CertHelpers.pm | 6 ++
bin/pveupdate | 33 +
