Merge pull request openshift#3267 from php-coder/document_oadm_ca_exp…

…ire_days_option Document --expire-days and --signer-expire-days options
gyj0825 · Dec 16, 2016 · e1c41c5 · e1c41c5
2 parents 9c13912 + 95a6f4d
commit e1c41c5
Show file tree

Hide file tree

Showing 6 changed files with 45 additions and 0 deletions.
diff --git a/install_config/advanced_ldap_configuration/sssd_for_ldap_failover.adoc b/install_config/advanced_ldap_configuration/sssd_for_ldap_failover.adoc
@@ -67,6 +67,15 @@ in this topic they are kept separate.
 [[sssd-phase-1-certificate-generation]]
 == Phase 1: Certificate Generation
 
+[NOTE]
+====
+The undermentioned commands generate certificate files that will be valid for 2
+years (and 5 years for Certification authority (CA) certificate). These
+periods can be altered with `--expire-days` and `--signer-expire-days` options
+but by security reasons it is strongly recommended to not make them greater
+than these values.
+====
+
 . To ensure that communication between the authenticating proxy and
 {product-title} is trustworthy, create a set of Transport Layer Security (TLS)
 certificates to use during the other phases of this setup. In the

diff --git a/install_config/configuring_authentication.adoc b/install_config/configuring_authentication.adoc
@@ -756,6 +756,11 @@ xref:requestheader-master-ca-config[master's identity provider configuration].
   --serial='/etc/origin/master/proxyca.serial.txt'
 ----
 
+[NOTE]
+`oadm ca create-signer-cert` generates a certificate that is valid for 5 years.
+This period can be altered with `*--expire-days*` option but by security
+reasons it is strongly recommended to not make it greater than this value.
+
 Generate a client certificate for the proxy. This can be done using any x509
 certificate tooling. For convenience, the `oadm` CLI can be used:
 
@@ -787,6 +792,11 @@ must be included in the `X509v3 Subject Alternative Name` in the certificate
 that is specified for `*SSLCertificateFile*`. If a new certificate needs to be
 created, the `oadm ca create-server-cert` command can be used.
 
+[NOTE]
+`oadm create-api-client-config` generates a certificate that is valid for 2 years.
+This period can be altered with `*--expire-days*` option but by security
+reasons it is strongly recommended to not make it greater than this value.
+
 *Configuring Apache*
 
 Unlike OpenShift Enterprise 2, this proxy does not need to reside on the same

diff --git a/install_config/master_node_configuration.adoc b/install_config/master_node_configuration.adoc
@@ -939,6 +939,11 @@ The following commands write the relevant launch configuration file(s),
 certificate files, and any other necessary files to the specified
 `--write-config` or `--node-dir` directory.
 
+Generated certificate files will be valid for 2 years. Certification authority
+(CA) certificate will be valid for 5 years. These periods can be altered with
+`--expire-days` and `--signer-expire-days` options but by security reasons
+it is strongly recommended to not make them greater than these values.
+
 To create configuration files for an all-in-one server (a master and a node on
 the same host) in the specified directory:
 

diff --git a/install_config/registry/securing_and_exposing_registry.adoc b/install_config/registry/securing_and_exposing_registry.adoc
@@ -53,6 +53,13 @@ $ oadm ca create-server-cert \
     --key=/etc/secrets/registry.key
 ----
 +
+[NOTE]
+====
+`oadm ca create-server-cert` generates a certificate that is valid for 2 years.
+This period can be altered with `*--expire-days*` option but by security
+reasons it is strongly recommended to not make it greater than this value.
+====
++
 . Create the secret for the registry certificates:
 +
 ----

diff --git a/install_config/router/default_haproxy_router.adoc b/install_config/router/default_haproxy_router.adoc
@@ -718,6 +718,13 @@ $ oadm ca create-server-cert --signer-cert=$CA/ca.crt \
 ----
 ====
 
+[NOTE]
+====
+`oadm ca create-server-cert` generates a certificate that is valid for 2 years.
+This period can be altered with `*--expire-days*` option but by security
+reasons it is strongly recommended to not make it greater than this value.
+====
+
 The router expects the certificate and key to be in PEM format in a single
 file:
 

diff --git a/registry_quickstart/administrators/system_configuration.adoc b/registry_quickstart/administrators/system_configuration.adoc
@@ -141,6 +141,13 @@ $ exit
 ----
 ====
 +
+[NOTE]
+====
+`oadm ca create-server-cert` generates a certificate that is valid for 2 years.
+This period can be altered with `*--expire-days*` option but by security
+reasons it is strongly recommended to not make it greater than this value.
+====
++
 . Copy the generated files to the registry directory and change ownership so the
 atomic-registry service can read the files.
 +