Dustin C. Hatch
2ce1821667
By default, step-ca issues certificates that are valid for only one day. This means that clients need to have multiple renew attempts scheduled throughout the day, otherwise, missing one could mean having their certificates expire. This is unnecessary, and not even possible in all cases, so let's make the default validity period longer and avoid the issue.
57 lines
1.1 KiB
JSON
57 lines
1.1 KiB
JSON
{
|
|
"root": "certs/root_ca.crt",
|
|
"federatedRoots": null,
|
|
"crt": "certs/intermediate_ca.crt",
|
|
"key": "secrets/intermediate_ca.key",
|
|
"address": ":32599",
|
|
"insecureAddress": "",
|
|
"dnsNames": [
|
|
"ca.pyrocufflink.blue"
|
|
],
|
|
"logger": {
|
|
"format": "json"
|
|
},
|
|
"db": {
|
|
"type": "bbolt",
|
|
"dataSource": "db/step.db"
|
|
},
|
|
"authority": {
|
|
"claims": {
|
|
"enableSSHCA": false,
|
|
"disableRenewal": false,
|
|
"allowRenewalAfterExpiry": false,
|
|
"disableSmallstepExtensions": false
|
|
},
|
|
"provisioners": [
|
|
{
|
|
"type": "ACME",
|
|
"name": "acme",
|
|
"claims": {
|
|
"maxTLSCertDuration": "744h",
|
|
"defaultTLSCertDuration": "168h"
|
|
}
|
|
},
|
|
{
|
|
"type": "OIDC",
|
|
"name": "authelia",
|
|
"clientID": "step-ca",
|
|
"clientSecret": "",
|
|
"configurationEndpoint": "https://auth.pyrocufflink.blue/.well-known/openid-configuration",
|
|
"admins": [
|
|
"dustin@hatch.name"
|
|
]
|
|
}
|
|
],
|
|
"backdate": "1m0s"
|
|
},
|
|
"tls": {
|
|
"cipherSuites": [
|
|
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
|
|
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
|
|
],
|
|
"minVersion": 1.3,
|
|
"maxVersion": 1.3,
|
|
"renegotiation": false
|
|
}
|
|
}
|