From e21e46dfc68596e3495c68cfc49c7442fec2942a Mon Sep 17 00:00:00 2001 From: Edward Hyunkoo Jee Date: Tue, 5 Jun 2018 17:01:08 -0700 Subject: keygeneration: make the certificates valid for 10 years UEFI firmware implementations are unlikely to validate the "days". However we'd better specify a reasonable value. We learned that setting the "days" argument to a large number can cause unexpected results due to overflow. GCE team has decided to set this value as 10 years. BUG=b:62189155 TEST=None BRANCH=none Change-Id: If0375251b41e9584708355a6fd32192aa5ad0c1a Reviewed-on: https://chromium-review.googlesource.com/1088165 Commit-Ready: Edward Jee Tested-by: Edward Jee Reviewed-by: Mike Frysinger --- scripts/keygeneration/uefi/uefi_common.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/keygeneration/uefi/uefi_common.sh b/scripts/keygeneration/uefi/uefi_common.sh index 87585450..ba5369b6 100644 --- a/scripts/keygeneration/uefi/uefi_common.sh +++ b/scripts/keygeneration/uefi/uefi_common.sh @@ -79,7 +79,7 @@ _make_self_signed_pair() { pushd "${key_name}" >/dev/null || return 1 openssl req -new -x509 -nodes -newkey rsa:2048 -sha256 \ -keyout "${key_name}.rsa" -out "${key_name}.pem" \ - -subj "${subj}" -days 73000 + -subj "${subj}" -days 3650 popd >/dev/null } @@ -100,10 +100,10 @@ _make_child_pair() { pushd "${ca_name}/${ca_name}.children" >/dev/null || return 1 openssl req -new -nodes -newkey rsa:2048 -sha256 \ -keyout "${child_key_name}.rsa" -out "${child_key_name}.csr" \ - -subj "${subj}" -days 73000 + -subj "${subj}" openssl x509 -req -sha256 -CA "../${ca_name}.pem" -CAkey "../${ca_name}.rsa" \ -CAcreateserial -in "${child_key_name}.csr" \ - -out "${child_key_name}.pem" -days 73000 + -out "${child_key_name}.pem" -days 3650 popd >/dev/null } -- cgit v1.2.1