CA_PROFILES expiration time is ignored

[DonOtuseGH]

Hello,

using the django-ca (latest docker image) i realised, that profiles expires parameter seems to be ignored. I used the following additional profile, which is mapped into the container via docker-compose.override.yml:

volumes: - ./localsettings.yaml:/usr/src/django-ca/ca/conf/compose/99-localsettings.yaml

localsettings.yaml:

CA_DEFAULT_EXPIRES: 365
CA_PROFILES:
  server_3y:
    description: A certificate for a webserver with 3 years validity time.
    expires: 1095
    extensions:
      extended_key_usage:
        critical: false
        value:
        - serverAuth
      key_usage:
        critical: true
        value:
        - digitalSignature
        - keyEncipherment
    subject: /O=MyOrg/OU=Lab

As a result, the certificate contains the correct subject and extensions, but has default validity time of 1 year. Giving parameter --expires 1095 in addition works for sure.

Could you please verify and solve this as well?

Thank you!

[mathiasertl]

Hi,

Thanks for the report, I have a fix ready and it will be in the next release.

However, I must note that most (all?) browsers will not accept certificates with a three year validity time anymore. I think one year is the maximum now.

kr, Mat

[DonOtuseGH]

Hi Mat,

thank you for fixing the issue. I'm aware of the browser limitations but there might be other use cases, e.g. s2s/c2s VPN. From a security perspective, long-lived certificates are of course not recommended ;-)

BR, Don.