Solved: Re: CSS self-signed cert expiration, 30 days or 1 year?

eleibowitz · ‎08-31-2006

In the CSS 11500 documentation for versions 7.3 and earlier, all references to self-signed certificates say that they expire in 30 days. In later versions, the documentation says both 30 days and one year. For example in this doc on version 7.4, http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_740/sslgd/certkeys.pdf , it says "A generated certificate is temporary and expires in one year" on page 4 and "A generated certificate

is temporary and expires in 30 days" on page 10. Perhaps it changed from 30 days to one year in version 7.4 and they missed the reference to it on page 10? I checked the release notes and no mention of it was made.

Gilles Dufour · ‎09-01-2006

It used to be 30 days but from looking at the code, I can see that the time in version 8.10 is 1 year 1 month 1 day.

I would however recommend to use openssl on a server instead of the CSS.

This is easier to control these kind of parameters.

Thanks,

Gilles.

View solution in original post

Gilles Dufour · ‎09-01-2006

It used to be 30 days but from looking at the code, I can see that the time in version 8.10 is 1 year 1 month 1 day.

I would however recommend to use openssl on a server instead of the CSS.

This is easier to control these kind of parameters.

Thanks,

Gilles.

eleibowitz · ‎09-01-2006

I suspected that it had been changed. Thanks for the openssl recommendation, but the ultimate goal is to offload SSL termination from the servers, which are at very high utilization, while the CSSs aren't even breathing hard. The self-signed cert is just for the test lab. Verisign certs are used in production. Thanks!