-
David Woodhouse authored
The CA has expired. Rebuild it (and remove the old GnuTLS CA from the ca-key.pem file where it was just noise). Rebuild all other certificates while we're at it, but leave the keys as they were. Extend the validity to 10000 days which should expire in 2050, by which time it probably won't be my problem. Dan seems young and healthy; maybe he can thank me then for pedantially scripting it all instead of doing it manually. Or maybe it'll have bitrotted so much by then that it won't help. Most of it worked out of the box this time, but I re-imported the certs into SoftHSM manually because I didn't want to start from scratch using the softhsm-setupX make targets. I think some of the behaviour of the GnuTLS tools (not importing pubkeys, etc) has changed since I did this. Arguably we should rewrite those rules to import things the same way into each token and then explicitly tweak them, deleting the public keys and explicitly marking objects public or private as needed for each token. The SoftHSM modifications also had to be done with an older version of SoftHSM (I used 2.2.0 on Ubuntu 18.04) because doing it with a newer version meant the newly-imported certs weren't visible in the Ubuntu 18.04 or CentOS 9 test runs. Fixes: #609 Signed-off-by: David Woodhouse <dwmw2@infradead.org>