mirrors/caddy-website
1
0
Fork 0
mirror of https://github.com/caddyserver/website.git synced 2025-04-20 12:15:08 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

pki: document certificate lifetime options (#283)

Browse source 
Signed-off-by: Kyle McCullough <kylemcc@gmail.com>

Signed-off-by: Kyle McCullough <kylemcc@gmail.com>
This commit is contained in:
Kyle McCullough 2022-12-06 17:53:42 -08:00 committed by GitHub
parent fed989d550
commit a2742d8d8d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/docs/markdown/caddyfile/directives/acme_server.md
View file

@ -18,9 +18,10 @@ Using ACME server defaults, ACME clients should simply be configured to use `htt
```caddy-d ```caddy-d
acme_server [<matcher>] { acme_server [<matcher>] {
ca <id> ca <id>
lifetime <duration>
} }
``` ```
- **ca** specifies the ID of the certificate authority with which to sign certificates. The default is `local`, which is Caddy's default CA, intended for locally-used, self-signed certificates, which is most common in dev environments. For broader use, it is recommended to specify a different CA to avoid confusion. If the CA with the given ID does not already exist, it will be created. See the [PKI app global options](/docs/caddyfile/options#pki-options) to configure alternate CAs. - **ca** specifies the ID of the certificate authority with which to sign certificates. The default is `local`, which is Caddy's default CA, intended for locally-used, self-signed certificates, which is most common in dev environments. For broader use, it is recommended to specify a different CA to avoid confusion. If the CA with the given ID does not already exist, it will be created. See the [PKI app global options](/docs/caddyfile/options#pki-options) to configure alternate CAs.
- **lifetime** (Default: `12h`) is a [duration](/docs/conventions#durations) which specifies the validity period for issued certificates. This value must be less than the lifetime of the [intermediate certificate](/docs/caddyfile/options#intermediate-lifetime) used for signing. It is not recommended to change this unless absolutely necessary.

10
src/docs/markdown/caddyfile/options.md
View file

@ -115,9 +115,10 @@ Possible options are:
# PKI Options # PKI Options
pki { pki {
ca [<id>] { ca [<id>] {
name <name> name <name>
root_cn <name> root_cn <name>
intermediate_cn <name> intermediate_cn <name>
intermediate_lifetime <duration>
root { root {
format <format> format <format>
cert <path> cert <path>
@ -446,6 +447,9 @@ The name to put in the CommonName field of the root certificate. Default: `{pki.
##### `intermediate_cn` ##### `intermediate_cn`
The name to put in the CommonName field of the intermediate certificates. Default: `{pki.ca.name} - ECC Intermediate` The name to put in the CommonName field of the intermediate certificates. Default: `{pki.ca.name} - ECC Intermediate`
##### `intermediate_lifetime`
The [duration](/docs/conventions#durations) for which intermediate certificates are valid. This value must be less than the lifetime of the root cert (`3600d`). Default: `7d`. It is recommended not to change this unless absolutely necessary.
##### `root` ##### `root`
A key pair (certificate and private key) to use as the root for the CA. If not specified, one will be generated and managed automatically. A key pair (certificate and private key) to use as the root for the CA. If not specified, one will be generated and managed automatically.