Self_signed TLS expires after 7 days?


(Michael Adams) #1

Already using Caddy for an external-facing system w/ACME, no problem. But the self_signed certs expire after only 7 days? I would imagine this normally wouldn’t be an issue for rapid-production; but for known-good internal systems, I figure one could adjust the timeout / expect the same 3 months as ACME certs? This would be for internal system uses.

Caddy 0.10.7


(Matt Holt) #2

Good question… here’s my perspective on it. Caddy’s self-signed certificates are intended for local development, not long-term production use. Using self-signed certs in production is kind of a bad idea anyway for the vast majority of threat models. (If an attacker has access to your internal network to passively watch the traffic, it’s likely they can also mount active attacks without too much trouble.)

How is it a “known-good” internal system without identity verification?


(Michael Adams) #3

That’s fair. If this is definitely a “won’t fix” by design, I would only ask the documentation be updated to reflect the 7-day period, based on what you have just described. Been talking with the boss about needing to develop an internal cert authority for those needs anyway.

Thank you!


(Matt Holt) #4

Updating the docs are a good idea, just did it. Will roll out soon.


(Michael Adams) #5

Awesome, thank you. Also just found http://www.openxpki.org/ : might be good for non-external use?