Replies: 2 comments 1 reply
-
|
Yes, a feature request in the ejbca-cert-manager repo seems appropriate. |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
I made a small fix and submitted a PR for your review. Only a few lines added in two files. Tested and working. |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Great, looks good to me! |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
For EJBCA certificate profiles which enable "Allow Validity Override", the ejbca-issuer should provide a mechanism to specify an end-user preference - especially for expiration date (NotAfter).
I recommend that this should be a new annotation, keeping separate the cert-manager fields "duration" and "renewBefore" as these determine Kubernetes operations and are not necessarily the same as values specified in the certificate itself.
A work-around with multiple certificate profiles is undesirable as this soon becomes a configuration nightmare with many values, and the end-users (who are not EJBCA admins) might not know this info in advance.
The underlying REST API method /v1/certificate/pkcs10enroll appears to support providing these values.
Shall I open a bug report / feature request for the EJBCA Issuer?
Beta Was this translation helpful? Give feedback.
All reactions