Set CA certificate expiration to 730 days

[thecatontheflat]

Summary

Fix yugabyted cert generate_server_certs generating a CA certificate with only 30-day validity instead of the intended 730 days.

The generate_root_certs() function in openssl_proxy.sh used openssl req -new -x509 to generate the CA certificate without an explicit -days flag. Unlike openssl ca, the openssl req -x509 command does not read default_days from the CA config section — it falls back to OpenSSL's built-in default of 30 days. Since TLS validation requires the CA cert to be valid, this effectively capped the usable lifetime of all generated certificates to 30 days regardless of the 730-day validity set on node certs.

Changes

• bin/openssl_proxy.sh: Add -days 730 to the openssl req -new -x509 invocation in generate_root_certs(), matching the value already used for node cert signing via openssl ca.

[netlify]

✅ Deploy Preview for infallible-bardeen-164bc9 ready!

Built without sensitive environment variables

Name	Link
🔨 Latest commit	f7f3944
🔍 Latest deploy log	https://app.netlify.com/projects/infallible-bardeen-164bc9/deploys/69fb57877215a000082b0046
😎 Deploy Preview	https://deploy-preview-31459--infallible-bardeen-164bc9.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[gemini-code-assist]

Code Review

This pull request updates the generate_root_certs function in bin/openssl_proxy.sh to explicitly set the root CA certificate's validity to 730 days. The reviewer suggests increasing this duration to 3650 days (10 years) to ensure the root CA outlasts the node certificates it signs, adhering to PKI best practices.

I am having trouble creating individual review comments. Click here to see my feedback.

bin/openssl_proxy.sh (95-96)

The CA certificate's validity is set to 730 days, which matches the node certificates. In PKI, it is best practice for a Root CA to have a significantly longer lifetime than the certificates it signs. If they have the same duration, the CA will expire before any node certificates issued after the CA's creation, rendering them invalid. Consider increasing the CA's validity (e.g., to 3650 days or 10 years) to ensure it outlasts all node certificates.

                -out "$root_certs_path"/ca.crt \
                -days 3650

[nchandrappa]

Thanks for PR.

This change will set both node cert expiration duration and the ca cert expiration duration to 730 days once this PR is merged. Expiration for them should be different.

can we make the change to set the root cert expiry to be 4 years, and for server cert 1 year.