make sure issued client certs never expire CA
fkooman opened this issue · 3 comments
fkooman commented
Currently this results in an error... so if the "not after" time is later than the CA time, use -not-after CA
instead the make the time exactly the same as the CA.
So assume you have a sessionExpiry
of P1Y
if you want to get a client certificate within one year of the CA expiring, this would result in an error. It is (much) better to have everything expire at the same time...
fkooman commented
This was fixed a long time ago.
fkooman commented
Only fixed in 3.x, not (yet) in 2.x.
fkooman commented
Fixed in these commits for 2.x:
- vpn-user-portal: eduvpn/vpn-user-portal@b2d167a
- vpn-server-api: e1ad114