hussamnasir
commented
6 years ago An additional issue i found when trying to fix using my previously mentioned idea is that that slice certificates could still go beyond the SA Certificate expiry time if
(Slice_expiry + renewal_days) > SA Cert expiry time There is no check to prevent this currently and look at the source code, there are far too many issues that may crop up and cause more problems for the CH and portal admins / source code maintainers.
This particular problem will only occur start from 185 days before SA Cert expiry because 185 days is set as a constant in the source code for max allowable renew time. To avoid running into this issue, whoever the admins may be at that time has to renew the CA , SA and other relevant Authority certs atleast 185 days before the actual expiry. This will make sure all existing SA certs issued by the old SA/CA are still valid while all new certs are signed by the renewed CA/SA
This needs to be fixed since it breaks slice credentials generated with slice certificates that expire beyond the GENI CA expiry. The right way should be to use the slice expiry time as the slice certificate expiry time. Each time a slice is renewed, the slice certificate is also renewed automatically by the current source code.