Make cert renew grace period configurable (default: 30 days)

Signed-off-by: Xavier Bachelot <xavier@bachelot.org>
2019-01-28 16:11:57 +01:00 · 2019-01-28 16:11:57 +01:00 · ff87fb1812
commit ff87fb1812
parent 6eff1118f8
2 changed files with 7 additions and 2 deletions
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@ -1010,10 +1010,10 @@ at: $crt_in"
 		)
 	expire_date=$(date -d "$expire_date" +%s)

-	allow_renew_date=$(date -d '+30day' +%s)
+	allow_renew_date=$(date -d "+${EASYRSA_CERT_RENEW}day" +%s)

 	[ "$expire_date" -lt "$allow_renew_date" ] || die "\
-Certificate expires in more than 30 days.
+Certificate expires in more than $EASYRSA_CERT_RENEW days.
 Renewal not allowed."

 	# Extract certificate usage from old cert
@ -1488,6 +1488,7 @@ Note: using Easy-RSA configuration from: $vars"
 	set_var EASYRSA_EC_DIR		"$EASYRSA_PKI/ecparams"
 	set_var EASYRSA_CA_EXPIRE	3650
 	set_var EASYRSA_CERT_EXPIRE	1080 # new default of 36 months	
+	set_var EASYRSA_CERT_RENEW	30
 	set_var EASYRSA_CRL_DAYS	180
 	set_var EASYRSA_NS_SUPPORT	no
 	set_var EASYRSA_NS_COMMENT	"Easy-RSA (~VER~) Generated Certificate"
--- a/easyrsa3/vars.example
+++ b/easyrsa3/vars.example
@ -127,6 +127,10 @@ fi
 # parsed after this timeframe passes. It is only used for an expected next
 # publication date.

+# How many days before its expiration date a certificate is allowed to be
+# renewed?
+#set_var EASYRSA_CERT_RENEW	30
+
 #set_var EASYRSA_CRL_DAYS	180

 # Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default