SSL Certificate Durations

Is there any way to adjust the duration of SSL certificates the satellites use for communication with the masters, our security group has flagged the long duration as a problem and would like them adjusted to be shorter however I have seen no spot within the documentation where the durations can be adjusted at all.

The duration changed in newer version so maybe you should try to replace the existing ones with new ones. Icinga 2 got the feature to renew certificates just a few versions ago.

Hi,

that’s a hardcoded value following typical recommendations. AFAIK thanks to RHEL5 boundaries we’ve lowered this from 30 to 15 years. That was before we’ve invented the CA proxy and automated certificate renewal by clients who trust each other already.

If you really need a different duration, you need to manage the certificates outside of Icinga and generate your own. There’s a discussion topic for this here: Own CA for Icinga Cluster/API communication?

Cheers,
Michael