Linux-Help/ovpn-admin
1
0
Fork 0
mirror of synced 2025-04-16 03:29:40 -04:00
Code Issues Projects Releases Packages Wiki Activity

Added the ability to set the validity period of the client certificate. ()

Browse source 
Signed-off-by: Paramoshka <parfenov_ivan_42a@mail.ru>
This commit is contained in:
Paramoshka 2025-03-03 15:45:33 +03:00 committed by GitHub
parent ac96942e1d
commit a2c41756a5
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 16 additions and 3 deletions

18
certificates.go
View file

@ -8,7 +8,9 @@ import (
"crypto/x509/pkix"
"encoding/pem"
"errors"
"fmt"
"math/big"
"strconv"
"time"
)
@ -60,7 +62,6 @@ func genPrivKey() (privKeyPEM *bytes.Buffer, err error) {
Bytes: privKeyPKCS8,
})
return
}
@ -133,6 +134,17 @@ func genClientCert(privKey, caPrivKey *rsa.PrivateKey, ca *x509.Certificate, cn
serialNumberRange := new(big.Int).Lsh(big.NewInt(1), 128)
serial, err := rand.Int(rand.Reader, serialNumberRange)
certLifetimeDays, err := strconv.Atoi(*clientCertExpirationDays)
if err != nil {
return nil, fmt.Errorf("can't get client certificate expiration value: %w", err)
}
notBefore := time.Now()
notAfter := notBefore.Add(time.Duration(certLifetimeDays) * 24 * time.Hour)
if notAfter.After(ca.NotAfter) {
notAfter = ca.NotAfter
}
template := x509.Certificate{
BasicConstraintsValid: true,
DNSNames: []string{cn},
@ -142,8 +154,8 @@ func genClientCert(privKey, caPrivKey *rsa.PrivateKey, ca *x509.Certificate, cn
},
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
NotBefore: time.Now(),
NotAfter: ca.NotAfter,
NotBefore: notBefore,
NotAfter: notAfter,
}
issuerBytes, err := x509.CreateCertificate(rand.Reader, &template, ca, &privKey.PublicKey, caPrivKey)

1
main.go
View file

@ -76,6 +76,7 @@ var (
logLevel = kingpin.Flag("log.level", "set log level: trace, debug, info, warn, error (default info)").Default("info").Envar("LOG_LEVEL").String()
logFormat = kingpin.Flag("log.format", "set log format: text, json (default text)").Default("text").Envar("LOG_FORMAT").String()
storageBackend = kingpin.Flag("storage.backend", "storage backend: filesystem, kubernetes.secrets (default filesystem)").Default("filesystem").Envar("STORAGE_BACKEND").String()
clientCertExpirationDays = kingpin.Flag("client-cert.expiration-days", "Expiration period of OpenVPN client certificates in days, the period will shrink automatically to the CA expiration period").Default("3650").Envar("CLIENT_CERT_EXPIRATION_DAYS").String()
certsArchivePath = "/tmp/" + certsArchiveFileName
ccdArchivePath = "/tmp/" + ccdArchiveFileName