Skip to content

Commit

Permalink
(PE-32607) change default auto-renewal ttl to 90 days
Browse files Browse the repository at this point in the history
This alters the default initial ttl for agents with auto-renewal capability
to 90 days from 60 days, and changes the period of validity on renewal from 60 days to 90 days.
  • Loading branch information
jonathannewman committed Jul 5, 2023
1 parent bd6da30 commit 3d794dc
Show file tree
Hide file tree
Showing 3 changed files with 6 additions and 6 deletions.
4 changes: 2 additions & 2 deletions src/clj/puppetlabs/puppetserver/certificate_authority.clj
Original file line number Diff line number Diff line change
Expand Up @@ -241,10 +241,10 @@
60)

(def default-auto-ttl-renewal
"60d") ; 60 days by default
"90d") ; 90 days by default

(def default-auto-ttl-renewal-seconds
(duration-str->sec default-auto-ttl-renewal)) ; 60 days by default
(duration-str->sec default-auto-ttl-renewal)) ; 90 days by default

(schema/defn ^:always-validate initialize-ca-config
"Adds in default ca config keys/values, which may be overwritten if a value for
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -214,10 +214,10 @@
(is (= 204 (:status response)))
(is (fs/exists? signed-cert-path))
(let [signed-cert (ssl-utils/pem->cert signed-cert-path)]
(testing "new not-after should be 59 days (and some fraction) away"
(testing "new not-after should be 89 days (and some fraction) away"
(let [diff (- (.getTime (.getNotAfter signed-cert)) (.getTime (Date.)))
days (.convert TimeUnit/DAYS diff TimeUnit/MILLISECONDS)]
(is (= 59 days)))))))))
(is (= 89 days)))))))))
(testing "signs a cert with a long ttl when the capability indicator is not present"
(let [certname (ks/rand-str :alpha-lower 8)
csr (ssl-utils/generate-certificate-request
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2005,10 +2005,10 @@
(is (= -1 (.compareTo (.getNotBefore signed-cert) (.getNotBefore renewed-cert)))))
(testing "new not-after is later than before"
(is (= -1 (.compareTo (.getNotAfter signed-cert) (.getNotAfter renewed-cert)))))
(testing "new not-after should be 59 days (and some faction) away"
(testing "new not-after should be 89 days (and some faction) away"
(let [diff (- (.getTime (.getNotAfter renewed-cert)) (.getTime (Date.)))
days (.convert TimeUnit/DAYS diff TimeUnit/MILLISECONDS)]
(is (= 59 days))))
(is (= 89 days))))
(testing "certificate should have been removed"
(is (not (fs/exists? expected-cert-path))))
(testing "extensions are preserved"
Expand Down

0 comments on commit 3d794dc

Please sign in to comment.