Univention Bugzilla – Bug 52741
ssl/validity/host not taken into account
Last modified: 2022-02-09 12:22:20 CET
+++ This bug was initially created as a clone of Bug #27002 +++ The variable ssl/validity/host is no longer taken into account when generating host certificates. Instead the variable ssl/default/days is used. Reason why this was noticed: According to the decision of Google(1), Apple(2) and Mozilla(3) the age of a server certificates, created from 01 Seb 2020 on, must not be longer than 398 days. Currently, this can still be partially deactivated in the browsers. However, it is to be expected that this will also be deactivated in the future. So that certificates generated from now on are considered valid, a distinction must be made between the age of the PKI and that of the certificate. 1: https://chromium.googlesource.com/chromium/src/+/ae4d6809912f8171b23f6aa43c6a4e8e627de784 2: https://support.apple.com/en-us/HT211025 3: https://blog.mozilla.org/security/2020/07/09/reducing-tls-certificate-lifespans-to-398-days/
According to "ucr get info ssl/validity/host" this is an integer since 1970-01-01 until when the current installed certificate on a host is valid, not the validity time of a newly created certificate. This variable stores the validity length of the host certificate in days since the 1st of January 1970. This value is generated automatically and should not be modified. Categories: system-ssl The value should be updated shortly after the new certificate is installed on a server.
Timo is correct. The UCR variable you are searching for is ssl/default/days (and maybe additionally ssl/crl/validity).