From: Shannon Sterz <s.sterz@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [PATCH proxmox 01/10] acme-api: make self-signed certificate expiry configurable
Date: Tue, 7 Apr 2026 15:57:05 +0200 [thread overview]
Message-ID: <20260407135714.490747-2-s.sterz@proxmox.com> (raw)
In-Reply-To: <20260407135714.490747-1-s.sterz@proxmox.com>
and change the default from 365000 days (almost 1000 years) to 3650
days (almost 10 years). almost 1000 years is excessive, as no
practical cryptographic key can reasonably be considered safe for that
amount of time. almost 10 years should still give plenty of time to
prepare for certificate changes.
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
Notes:
imo, we could go down even more. as far as i am aware there is no real
limit that is being enforced here for self-signed certificates from a
browser perspective. they are already trusted on an exemption-basis
anyway. however, certificates signed by public CAs will only be valid
for a maximum of 47 days by 2029 [1].
hence, i would personally either adopt the same limit or go down to a
year, as a sensible middle-ground. certificate rotation should really
be automated even in self-signed scenarios. we also had cases in the
past, where customers already ran into issue because they wanted to
limit the lifetime of their certificates below 30 days [2]. meaning
that there is a need out there for shorter lived certificates (though,
in that case a custom CA & ACME setup was used).
[1]: https://github.com/cabforum/servercert/pull/553
[2]: https://bugzilla.proxmox.com/show_bug.cgi?id=6372
proxmox-acme-api/src/certificate_helpers.rs | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/proxmox-acme-api/src/certificate_helpers.rs b/proxmox-acme-api/src/certificate_helpers.rs
index a4fe153a..c09bd65c 100644
--- a/proxmox-acme-api/src/certificate_helpers.rs
+++ b/proxmox-acme-api/src/certificate_helpers.rs
@@ -214,6 +214,7 @@ pub fn create_self_signed_cert(
product_name: &str,
nodename: &str,
domain: Option<&str>,
+ expire: Option<u32>,
) -> Result<(PKey<Private>, X509), Error> {
let rsa = Rsa::generate(4096).unwrap();
@@ -223,7 +224,7 @@ pub fn create_self_signed_cert(
let today = openssl::asn1::Asn1Time::days_from_now(0)?;
x509.set_not_before(&today)?;
- let expire = openssl::asn1::Asn1Time::days_from_now(365 * 1000)?;
+ let expire = openssl::asn1::Asn1Time::days_from_now(expire.unwrap_or(365 * 10))?;
x509.set_not_after(&expire)?;
let mut fqdn = nodename.to_owned();
--
2.47.3
next prev parent reply other threads:[~2026-04-07 13:57 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-07 13:57 [RFC datacenter-manager/proxmox{,-backup} 00/10] TLS Certificate Rotation Shannon Sterz
2026-04-07 13:57 ` Shannon Sterz [this message]
2026-04-07 13:57 ` [PATCH proxmox-backup 02/10] config: use proxmox_acme_api for generating self-signed certificates Shannon Sterz
2026-04-07 13:57 ` [PATCH proxmox-backup 03/10] config: adapt to api change in proxmox_acme_api, add expiry paramter Shannon Sterz
2026-04-07 13:57 ` [PATCH proxmox-backup 04/10] config/server/api: add certificate renewal logic including notifications Shannon Sterz
2026-04-07 13:57 ` [PATCH proxmox-backup 05/10] daily-update/docs: warn on excessive self-signed certificate lifetime Shannon Sterz
2026-04-07 13:57 ` [PATCH proxmox-backup 06/10] backup-manager cli: `cert update` can create auth and csrf key Shannon Sterz
2026-04-07 13:57 ` [PATCH datacenter-manager 07/10] certs: adapt to api change in proxmox_acme_api, add expiry paramter Shannon Sterz
2026-04-07 13:57 ` [PATCH datacenter-manager 08/10] api/auth/bin: add certificate renewal logic Shannon Sterz
2026-04-07 13:57 ` [PATCH datacenter-manager 09/10] cli: expose certificate management endpoints via the cli Shannon Sterz
2026-04-07 13:57 ` [PATCH datacenter-manager 10/10] daily-update/docs: warn on excessive tls certificate validity periods Shannon Sterz
2026-04-07 15:29 ` Shannon Sterz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260407135714.490747-2-s.sterz@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox