Specify -days 825 to meet Apple's requirements for TLS server certi…

…ficates
sigp · Nov 15, 2024 · cfe07df · cfe07df
1 parent 78328d9
commit cfe07df
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/testing/web3signer_tests/tls/generate.sh b/testing/web3signer_tests/tls/generate.sh
@@ -7,10 +7,14 @@
 # side. It seems that web3signer (Java) uses its own implementation to parse PKCS files.
 # See https://github.com/sigp/lighthouse/issues/6442#issuecomment-2469252651
 
-openssl req -x509 -sha256 -nodes -days 36500 -newkey rsa:4096 -keyout web3signer/key.key -out web3signer/cert.pem -config web3signer/config &&
+# We specify `-days 825` when generating the certificate files because Apple requires TLS server certificates to have a
+# validity period of 825 days or fewer.
+# See https://github.com/sigp/lighthouse/issues/6442#issuecomment-2474979183
+
+openssl req -x509 -sha256 -nodes -days 825 -newkey rsa:4096 -keyout web3signer/key.key -out web3signer/cert.pem -config web3signer/config &&
 openssl pkcs12 -export -aes256 -out web3signer/key.p12 -inkey web3signer/key.key -in web3signer/cert.pem -password pass:$(cat web3signer/password.txt) &&
 cp web3signer/cert.pem lighthouse/web3signer.pem &&
-openssl req -x509 -sha256 -nodes -days 36500 -newkey rsa:4096 -keyout lighthouse/key.key -out lighthouse/cert.pem -config lighthouse/config &&
+openssl req -x509 -sha256 -nodes -days 825 -newkey rsa:4096 -keyout lighthouse/key.key -out lighthouse/cert.pem -config lighthouse/config &&
 openssl pkcs12 -export -aes256 -out lighthouse/key.p12 -inkey lighthouse/key.key -in lighthouse/cert.pem -password pass:$(cat lighthouse/password.txt) &&
 openssl pkcs12 -export -legacy -aes256 -out lighthouse/key_legacy.p12 -inkey lighthouse/key.key -in lighthouse/cert.pem -password pass:$(cat lighthouse/password.txt) &&
 openssl x509 -noout -fingerprint -sha256 -inform pem -in lighthouse/cert.pem | cut -b 20-| sed "s/^/lighthouse /" > web3signer/known_clients.txt