[Cerowrt-devel] expiring certs kill juniper routers

[Cerowrt-devel] expiring certs kill juniper routers

[Dave Taht]

A whole bunch of juniper routers just went down due to an expired certificate:

http://www.gossamer-threads.com/lists/nsp/juniper/50450

We set the cerowrt https certificates to expire in 2072. I plan on being
safely dead by then... but...

I worried that I might actually get uploaded instead... and still be around...

so there's a cron job to create new ones every year.

1 3 2 1 * /etc/make-webcerts.sh # regen the web certs every year feb 1 at 3am

It bugs me that the openssl syntax for generating certs is so arcane,
and it bothers me
more that there are people making bad certs out there for mission
critical equipment.

"We're sorry, your vw bug can't start due to an expired certificate...
we're sorry,
your nuclear reactor's coolant interfaces can't start due to an
expired certificate."

It kind of dwarfs the Y2038 problem in that it can happen anywhere, anytime.

-- 
Dave Täht

Re: [Cerowrt-devel] expiring certs kill juniper routers

[Maciej Soltysiak]

> 1 3 2 1 * /etc/make-webcerts.sh # regen the web certs every year feb 1 at 3am
If for some reason I fail to have my router running on that feral day
at 3am, it won't regenerate and we wait a year for the next run.
Maybe it'd be better to have a daily job to check for that in case
someone misses that key moment in a year?

Before I do anything... My copy of make-webcerts.sh has:
days=21900
bits=1024

Perhaps it's better to put less than 60 years in there and up the bits?
3 runs at 4096 took 27, 30 and 42 seconds on my WNDR3800.

That would increase the first boot up after flashing, wouldn't it?

Best regards,
Maciej