Certificate Generation Settings

[science695]

Google and Apple are both making strides to put restrictions on SSL certificates. Things like cannot have more than 2 year expiration, must be certain key length....

On the latest Mac OS, they have implemented these changes which makes it reject the certificates created by devilbox.

I have looked and I do see that you already have these options available in cert-gen: https://github.com/devilbox/cert-gen/blob/master/bin/cert-gen

Would you be able to allow some of these options? -d or -k to be customized? Either an ENV variable that includes extra command line flags, or the option to override DEF_DAYS or DEF_KEYSIZE?

Would probably need to be in both apache and nginx docker images:
https://github.com/devilbox/docker-nginx-stable/blob/master/data/docker-entrypoint.d/08-cert-gen.sh
https://github.com/devilbox/docker-apache-2.4/blob/master/data/docker-entrypoint.d/08-cert-gen.sh

Currently the only problem I have is the expiration time of 10 years, but I feel like there may be more problems as the industry creates more and more stricter standards.

(Another option would be to reduce the DEF_DAYS=3650 to only 2 years or something smaller)

Thanks!

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[tmort]

@science695 Following up on your original comment on allowing .env to set the -d flag when generating certificates, I've modified the apache2.4 docker image to allow this. You can read more at the following links:

Pull request for apache-2.4 Docker container
Description of the process and what it takes to install

[science695]

@tmort Thanks! This looks great.

[cytopia]

This will be fixed in the upcoming release: #647

Apple had a few more requirements: https://support.apple.com/en-us/HT210176