-- Leo's gemini proxy

-- Connecting to kwiecien.us:1965...

-- Connected

-- Sending request

-- Meta line: 20 text/gemini

Self-Signed Cert

Authors: Ben <benk@tilde.team>

Dated: 2021-04-25


In an attempt to do TOFU right, I ended up generating a self-signed cert thanks to geminid providing the ability to do this in its Makefile. ("make cert") After generating and installing it, I noticed that it expires in only one year, which I thought was kind of short. It seems like kind of a waste since I already had it using my LetsEncrypt cert which is verified by the CA, but it's still better to only have to change it once a year than four times a year, which I have to do with certbot anyway for my other services.


So now I'm a little confused; should TOFU certs last forever? I wanted to set an expiry date of something like 9999-12-31 like Diohsc does for client certs, but I couldn't figure out how to make openssl do that. It seems the -days argument works, but not -enddate like I read online. Maybe I'll play with it later.


Therefore, if you're wondering what happened to my capsule's cert, it's because I messed with it. Best to leave it be for now, I suppose!

-- Response ended

-- Page fetched on Fri Mar 29 02:10:19 2024