💾 Archived View for kwiecien.us › gemlog › self-signed-cert.gmi captured on 2021-12-03 at 14:04:38. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-11-30)

➡️ Next capture (2022-01-08)

-=-=-=-=-=-=-

Self-Signed Cert

Authors: Ben <benulo@systemli.org>

Dated: 2021-04-25

In an attempt to do TOFU right, I ended up generating a self-signed cert thanks to geminid providing the ability to do this in its Makefile. ("make cert") After generating and installing it, I noticed that it expires in only one year, which I thought was kind of short. It seems like kind of a waste since I already had it using my LetsEncrypt cert which is verified by the CA, but it's still better to only have to change it once a year than four times a year, which I have to do with certbot anyway for my other services.

So now I'm a little confused; should TOFU certs last forever? I wanted to set an expiry date of something like 9999-12-31 like Diohsc does for client certs, but I couldn't figure out how to make openssl do that. It seems the -days argument works, but not -enddate like I read online. Maybe I'll play with it later.

Therefore, if you're wondering what happened to my capsule's cert, it's because I messed with it. Best to leave it be for now, I suppose!