[Cerowrt-devel] expiring certs kill juniper routers

Dave Taht dave.taht at gmail.com
Thu Mar 27 16:04:22 EDT 2014


A whole bunch of juniper routers just went down due to an expired certificate:

http://www.gossamer-threads.com/lists/nsp/juniper/50450

We set the cerowrt https certificates to expire in 2072. I plan on being
safely dead by then... but...

I worried that I might actually get uploaded instead... and still be around...

so there's a cron job to create new ones every year.

1 3 2 1 * /etc/make-webcerts.sh # regen the web certs every year feb 1 at 3am

It bugs me that the openssl syntax for generating certs is so arcane,
and it bothers me
more that there are people making bad certs out there for mission
critical equipment.

"We're sorry, your vw bug can't start due to an expired certificate...
we're sorry,
your nuclear reactor's coolant interfaces can't start due to an
expired certificate."

It kind of dwarfs the Y2038 problem in that it can happen anywhere, anytime.

-- 
Dave Täht



More information about the Cerowrt-devel mailing list