💾 Archived View for kwiecien.us › gemlog › self-signed-cert.gmi captured on 2022-01-08 at 13:39:11. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-11-30)
-=-=-=-=-=-=-
Authors: Ben <benk@tilde.team>
Dated: 2021-04-25
In an attempt to do TOFU right, I ended up generating a self-signed cert thanks to geminid providing the ability to do this in its Makefile. ("make cert") After generating and installing it, I noticed that it expires in only one year, which I thought was kind of short. It seems like kind of a waste since I already had it using my LetsEncrypt cert which is verified by the CA, but it's still better to only have to change it once a year than four times a year, which I have to do with certbot anyway for my other services.
So now I'm a little confused; should TOFU certs last forever? I wanted to set an expiry date of something like 9999-12-31 like Diohsc does for client certs, but I couldn't figure out how to make openssl do that. It seems the -days argument works, but not -enddate like I read online. Maybe I'll play with it later.
Therefore, if you're wondering what happened to my capsule's cert, it's because I messed with it. Best to leave it be for now, I suppose!