keygeneration: make the certificates valid for 10 years
UEFI firmware implementations are unlikely to validate the "days".
However we'd better specify a reasonable value. We learned that
setting the "days" argument to a large number can cause unexpected
results due to overflow.
GCE team has decided to set this value as 10 years.
BUG=b:62189155
TEST=None
BRANCH=none
Change-Id: If0375251b41e9584708355a6fd32192aa5ad0c1a
Reviewed-on: https://chromium-review.googlesource.com/1088165
Commit-Ready: Edward Jee <edjee@google.com>
Tested-by: Edward Jee <edjee@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
diff --git a/scripts/keygeneration/uefi/uefi_common.sh b/scripts/keygeneration/uefi/uefi_common.sh
index 8758545..ba5369b 100644
--- a/scripts/keygeneration/uefi/uefi_common.sh
+++ b/scripts/keygeneration/uefi/uefi_common.sh
@@ -79,7 +79,7 @@
pushd "${key_name}" >/dev/null || return 1
openssl req -new -x509 -nodes -newkey rsa:2048 -sha256 \
-keyout "${key_name}.rsa" -out "${key_name}.pem" \
- -subj "${subj}" -days 73000
+ -subj "${subj}" -days 3650
popd >/dev/null
}
@@ -100,10 +100,10 @@
pushd "${ca_name}/${ca_name}.children" >/dev/null || return 1
openssl req -new -nodes -newkey rsa:2048 -sha256 \
-keyout "${child_key_name}.rsa" -out "${child_key_name}.csr" \
- -subj "${subj}" -days 73000
+ -subj "${subj}"
openssl x509 -req -sha256 -CA "../${ca_name}.pem" -CAkey "../${ca_name}.rsa" \
-CAcreateserial -in "${child_key_name}.csr" \
- -out "${child_key_name}.pem" -days 73000
+ -out "${child_key_name}.pem" -days 3650
popd >/dev/null
}
