keygeneration: make the certificates valid for 10 yearsfirmware-nami-10775.Bfirmware-nami-10775.130.Bfirmware-nami-10775.108.B

UEFI firmware implementations are unlikely to validate the "days".
However we'd better specify a reasonable value. We learned that
setting the "days" argument to a large number can cause unexpected
results due to overflow.

GCE team has decided to set this value as 10 years.

BUG=b:62189155
TEST=None
BRANCH=none

Change-Id: If0375251b41e9584708355a6fd32192aa5ad0c1a
Reviewed-on: https://chromium-review.googlesource.com/1088165
Commit-Ready: Edward Jee <edjee@google.com>
Tested-by: Edward Jee <edjee@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

1 files changed, 3 insertions, 3 deletions

diff --git a/scripts/keygeneration/uefi/uefi_common.sh b/scripts/keygeneration/uefi/uefi_common.sh
index 87585450..ba5369b6 100644
--- a/scripts/keygeneration/uefi/uefi_common.sh
+++ b/scripts/keygeneration/uefi/uefi_common.sh
@@ -79,7 +79,7 @@ _make_self_signed_pair() {
   pushd "${key_name}" >/dev/null || return 1
   openssl req -new -x509 -nodes -newkey rsa:2048 -sha256 \
       -keyout "${key_name}.rsa" -out "${key_name}.pem" \
-      -subj "${subj}" -days 73000
+      -subj "${subj}" -days 3650
   popd >/dev/null
 }
 
@@ -100,10 +100,10 @@ _make_child_pair() {
   pushd "${ca_name}/${ca_name}.children" >/dev/null || return 1
   openssl req -new -nodes -newkey rsa:2048 -sha256 \
       -keyout "${child_key_name}.rsa" -out "${child_key_name}.csr" \
-      -subj "${subj}" -days 73000
+      -subj "${subj}"
   openssl x509 -req -sha256 -CA "../${ca_name}.pem" -CAkey "../${ca_name}.rsa" \
       -CAcreateserial -in "${child_key_name}.csr" \
-      -out "${child_key_name}.pem" -days 73000
+      -out "${child_key_name}.pem" -days 3650
   popd >/dev/null
 }