-
Notifications
You must be signed in to change notification settings - Fork 7
Client certificates
Øyvind Hagberg edited this page Mar 13, 2019
·
2 revisions
Nivlheim publishes a bundle with its currently active CA certificates at https://<servername>/clientca.pem
There is a cron job that runs every day:
/etc/cron.daily/client_CA_cert.sh
It checks the expiry date of the currently active CA certificate.
- If the CA certificate will expire in less than 30 days, it creates a new one. It will be placed alongside the current one in
/var/www/nivlheim/CA, and added to the bundleclientca.pem. But new client certificates will still be signed with the old (current) CA for now. - If the CA certificate will expire in less than 9 days, it activates the new one. Than means moving the files into place in
/var/www/nivlheim/CA. The webserver is then restarted to make it read the new cert bundle.
How to manually trigger these operations:
sudo /etc/cron.daily/client_CA_cert.sh --force-create --verbosesudo /etc/cron.daily/client_CA_cert.sh --force-activate --verbose