make sure issued client certs never expire CA

Question

make sure issued client certs never expire CA

fkooman opened this issue 4 years ago · 3 comments

Currently this results in an error... so if the "not after" time is later than the CA time, use -not-after CA instead the make the time exactly the same as the CA.

So assume you have a sessionExpiry of P1Y if you want to get a client certificate within one year of the CA expiring, this would result in an error. It is (much) better to have everything expire at the same time...

Answer 1 · 2020-12-09T15:45:18.000Z

This was fixed a long time ago.

Answer 2 · 2021-05-11T08:19:34.000Z

Only fixed in 3.x, not (yet) in 2.x.

Answer 3 · 2021-05-11T09:14:36.000Z

Fixed in these commits for 2.x:

vpn-user-portal: eduvpn/vpn-user-portal@b2d167a
vpn-server-api: e1ad114