How do I generate a longer-lived certificate? :

How do I generate a longer-lived certificate? Print

Created by: Cass Fultz

Modified on: Fri, 29 Apr, 2022 at 1:22 PM

If you’re using the authority-admin provisioner, the default certificate lifetime is 24 hours. The 24-hour default validity window for certificates is arbitrary. Depending on your threat model and use context, you may want much shorter or much longer certificate lifetimes.

You can dynamically adjust the certificate not-before and not-after parameters when requesting a certificate.

For example, this certificate will be valid for six minutes:

step ca certificate localhost localhost.crt localhost.key \\
 --not-after=6m

In this example, this certificate will be valid starting 5 minutes from now, until 10 days from now:

step ca certificate localhost localhost.crt localhost.key \\
 --not-before=5m --not-after=240h

PLEASE NOTE: Provisioners can be defined or modified with certificate minimum and maximum lifetimes and default certificate expiry. A single Authority can support many provisioners to unlock various automated workflows. Click to learn more about provisioners and claims.

Cass is the author of this solution article.

Did you find it helpful? Yes No

How do I generate a longer-lived certificate? Print

Related Articles