Merge pull request #3267 from php-coder/document_oadm_ca_expire_days_option

Brice Fallon-Freeman · web-flow · commit e1c41c5c0015 · 2016-12-16T11:51:20.000+10:00
Document --expire-days and --signer-expire-days options
diff --git a/install_config/advanced_ldap_configuration/sssd_for_ldap_failover.adoc b/install_config/advanced_ldap_configuration/sssd_for_ldap_failover.adoc
@@ -67,6 +67,15 @@ in this topic they are kept separate.
 [[sssd-phase-1-certificate-generation]]
 == Phase 1: Certificate Generation
 
+[NOTE]
+====
+The undermentioned commands generate certificate files that will be valid for 2
+years (and 5 years for Certification authority (CA) certificate). These
+periods can be altered with `--expire-days` and `--signer-expire-days` options
+but by security reasons it is strongly recommended to not make them greater
+than these values.
+====
+
 . To ensure that communication between the authenticating proxy and
 {product-title} is trustworthy, create a set of Transport Layer Security (TLS)
 certificates to use during the other phases of this setup. In the
diff --git a/install_config/configuring_authentication.adoc b/install_config/configuring_authentication.adoc
@@ -756,6 +756,11 @@ xref:requestheader-master-ca-config[master's identity provider configuration].
   --serial='/etc/origin/master/proxyca.serial.txt'
 ----
 
+[NOTE]
+`oadm ca create-signer-cert` generates a certificate that is valid for 5 years.
+This period can be altered with `*--expire-days*` option but by security
+reasons it is strongly recommended to not make it greater than this value.
+
 Generate a client certificate for the proxy. This can be done using any x509
 certificate tooling. For convenience, the `oadm` CLI can be used:
 
@@ -787,6 +792,11 @@ must be included in the `X509v3 Subject Alternative Name` in the certificate
 that is specified for `*SSLCertificateFile*`. If a new certificate needs to be
 created, the `oadm ca create-server-cert` command can be used.
 
+[NOTE]
+`oadm create-api-client-config` generates a certificate that is valid for 2 years.
+This period can be altered with `*--expire-days*` option but by security
+reasons it is strongly recommended to not make it greater than this value.
+
 *Configuring Apache*
 
 Unlike OpenShift Enterprise 2, this proxy does not need to reside on the same
diff --git a/install_config/master_node_configuration.adoc b/install_config/master_node_configuration.adoc
@@ -939,6 +939,11 @@ The following commands write the relevant launch configuration file(s),
 certificate files, and any other necessary files to the specified
 `--write-config` or `--node-dir` directory.
 
+Generated certificate files will be valid for 2 years. Certification authority
+(CA) certificate will be valid for 5 years. These periods can be altered with
+`--expire-days` and `--signer-expire-days` options but by security reasons
+it is strongly recommended to not make them greater than these values.
+
 To create configuration files for an all-in-one server (a master and a node on
 the same host) in the specified directory:
 
diff --git a/install_config/registry/securing_and_exposing_registry.adoc b/install_config/registry/securing_and_exposing_registry.adoc
@@ -53,6 +53,13 @@ $ oadm ca create-server-cert \
     --key=/etc/secrets/registry.key
 ----
 +
+[NOTE]
+====
+`oadm ca create-server-cert` generates a certificate that is valid for 2 years.
+This period can be altered with `*--expire-days*` option but by security
+reasons it is strongly recommended to not make it greater than this value.
+====
++
 . Create the secret for the registry certificates:
 +
 ----
diff --git a/install_config/router/default_haproxy_router.adoc b/install_config/router/default_haproxy_router.adoc
@@ -718,6 +718,13 @@ $ oadm ca create-server-cert --signer-cert=$CA/ca.crt \
 ----
 ====
 
+[NOTE]
+====
+`oadm ca create-server-cert` generates a certificate that is valid for 2 years.
+This period can be altered with `*--expire-days*` option but by security
+reasons it is strongly recommended to not make it greater than this value.
+====
+
 The router expects the certificate and key to be in PEM format in a single
 file:
 
diff --git a/registry_quickstart/administrators/system_configuration.adoc b/registry_quickstart/administrators/system_configuration.adoc
@@ -141,6 +141,13 @@ $ exit
 ----
 ====
 +
+[NOTE]
+====
+`oadm ca create-server-cert` generates a certificate that is valid for 2 years.
+This period can be altered with `*--expire-days*` option but by security
+reasons it is strongly recommended to not make it greater than this value.
+====
++
 . Copy the generated files to the registry directory and change ownership so the
 atomic-registry service can read the files.
 +

Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,13 @@ $ oadm ca create-server-cert \`
`53`	`53`	`--key=/etc/secrets/registry.key`
`54`	`54`	`----`
`55`	`55`	`+`
	`56`	`+[NOTE]`
	`57`	`+====`
	`58`	+`oadm ca create-server-cert` generates a certificate that is valid for 2 years.
	`59`	+This period can be altered with `--expire-days` option but by security
	`60`	`+reasons it is strongly recommended to not make it greater than this value.`
	`61`	`+====`
	`62`	`++`
`56`	`63`	`. Create the secret for the registry certificates:`
`57`	`64`	`+`
`58`	`65`	`----`
Original file line number	Diff line number	Diff line change
`@@ -141,6 +141,13 @@ $ exit`
`141`	`141`	`----`
`142`	`142`	`====`
`143`	`143`	`+`
	`144`	`+[NOTE]`
	`145`	`+====`
	`146`	+`oadm ca create-server-cert` generates a certificate that is valid for 2 years.
	`147`	+This period can be altered with `--expire-days` option but by security
	`148`	`+reasons it is strongly recommended to not make it greater than this value.`
	`149`	`+====`
	`150`	`++`
`144`	`151`	`. Copy the generated files to the registry directory and change ownership so the`
`145`	`152`	`atomic-registry service can read the files.`
`146`	`153`	`+`