Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow for certificates to be re-issued #197

Closed
kevgliss opened this issue Dec 31, 2015 · 1 comment
Closed

Allow for certificates to be re-issued #197

kevgliss opened this issue Dec 31, 2015 · 1 comment
Labels
enhancement in progress
Milestone
0.5.x

Comments

@kevgliss
Copy link
Contributor

It is often useful to allow users to easily re-issue their certificates. The way I see it there are a couple different ways this could be implemented:

  • Force issuer plugins to implement a 'reissue' function
    • Each CA does reissue a bit differently, Symantec/Verisign has it's own logic on what it means to reissue a certificate. We could force issuer plugins to create a reissue function that would navigate the logic of that particular CA. The messy part is that CA's may require that a state or challenge be saved and then presented before a certificate will be re-issued.
  • Save the request data when a certificate is created
    • If we save this data (json) Lemur's re-issue function might be able to simply use the same data and modify the not_before, not_after values (maybe OU?) then create a new certificate using create_certificate interface. This is much easier to implement but a major drawback is that we don't know what the rules are in determining if a given certificate already exists.
@kevgliss kevgliss added this to the 0.3.x milestone Dec 31, 2015
@kevgliss kevgliss mentioned this issue Feb 27, 2016
Closed
@kevgliss kevgliss mentioned this issue Apr 29, 2016
Closed
@kevgliss kevgliss modified the milestones: 0.4.x, 0.3.x Apr 29, 2016
@kevgliss kevgliss modified the milestones: 0.5.x, 0.4.x May 24, 2016
@kevgliss
Copy link
Contributor Author

A third way would be to parse the certificate fields and extensions and return such that this information could then be fed back through the process (with new dates) and have a new certificate issued.

This would also allow us to edit the 'cloned' certificate if need be (e.g.) adding a new domain.

@snyk-bot snyk-bot mentioned this issue Jan 22, 2020
Open
@snyk-bot snyk-bot mentioned this issue Nov 9, 2020
Open
nezdolik pushed a commit to spotify/lemur that referenced this issue Mar 23, 2023
@mspringare
Renew certificates at 09:00 CEST (Netflix#197)
79d31ea 
Let Lemur renew certificates at 9am (instead of 13am) so it's done before Digicert sends out the 30 days to expiry notification on that day, which they always seem to do around 9.30am.

https://ghe.spotify.net/wasabi/certificate-management/issues/62
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement in progress
Projects
None yet
Milestone
0.5.x
Development

No branches or pull requests
1 participant
@kevgliss