Generates OCSP certificates that expires in 5 days
Closed this issue · 1 comments
We upgraded some of our headless-ca applications from 1.1.5 to 1.3.2 and noticed that some of them started to generate OCSP certificates with 5 days expiry time in our OpenShift cluster from the previous 10 years and we didn’t think more about it since it didn’t happen in any of our production environments, but now after deploying some new production changes they (our productions environments) also started to generate OCSP certificates with 5 days expiry time.
What has changed to cause this drastic validity time change for the OCSP certificates?
P.S. We are using the same configuration (below) for all our OCSP certificates
ca-service.instance.conf.default.ocsp.enabled=true
ca-service.instance.conf.default.ocsp.algorithm=${ca-service.instance.conf.default.ca.algorithm}
ca-service.instance.conf.default.ocsp.validity.start-offset-sec=-10
ca-service.instance.conf.default.ocsp.validity.unit=H
ca-service.instance.conf.default.ocsp.validity.amount=0
Fixed by updating the undocumented ca-service.instance.conf.default.ca.ocsp-cert-validity-amount to 730 which is 730 days