search

icing / mod_md

Let's Encrypt (ACME) in Apache httpd
https://icing.github.io/mod_md/
Apache License 2.0
334 stars 28 forks source link

Specify Certificate Duration #311

Closed misilot closed 1 year ago

misilot commented 1 year ago

Hello,

I read through the docs and didn't see it, but is there a way to specify the certificate duration? For example by default our ACME CA provides 1 year certificates, but I would like to do 90 or even shorter length certificates, for dev and test systems.

Thanks!

icing commented 1 year ago

Hi,

the certificate lifetime is given be the issuing CA. The ACME protocol does not allow to specify that. I agree that short lifetimes are preferable. You could set up a separate CA for dev and test systems, but then you have to manage the trust anchors for that somehow for your clients. Depends on your particular setup how tricky that is.

misilot commented 1 year ago

Hmm that's interesting that Traefik supports it as a configuration https://doc.traefik.io/traefik/https/acme/#certificatesduration, so I had assumed it was specified by ACME.

icing commented 1 year ago

I was wrong, one can request a notBefore and notAfter and the CA will deny issuing the cert if it does not agree to that.

That is probably why I forgot about that feature. One has to know beforehand how the CA will react and that may also change in the CA at tis whim. So, it seems an additional point of failure.

icing commented 1 year ago

Coming back to this: I had an exchange with the senior Lets Encrypt engineer on this and there are problems with using notBefore/notAfter in ACME. The spec says, in short, these parts of the Certificate Request must be either obeyed or certificate creation must be rejected.

Let's Encrypt does not support other lifetimes and this is one of the reasons for it. It adds complexities to their business that they do not want (my interpretation). Now other CAs might choose differently. I myself tend to side with Lets Encrypt here. I do not want to handle the issues that I foresee would arise with adding support for this in Apache. Other ACME clients might choose differently and that is totally fine.

If I were to design this feature for an ACME CA, I would let people configure desired lifetimes outside the ACME protocol itself. What I mean by this is that a user should be able to configure a DNS name with cert lifetime information.

Maybe that is done in a CA user configuration (for CA with user accounts) or a specific DNS entry that is looked at by the CA. These would say __acme_lifetime.xxx.yyy.com: 10 days, configured once and done. Something like that is how I would go about it.

icing commented 1 year ago

Just an addition to the mastodon thread about this and more explanations: https://chaos.social/@icing/110518749878760014