ca: Allow disabling CA key renewal.

For easier use when renewing a single certificate after restoring backups, for example.

ca: Allow disabling CA key renewal.
For easier use when renewing a single certificate after restoring backups, for example.
8d759f9e · Vincent Pelletier · f6661875 · 8d759f9e
Commit 8d759f9e authored Nov 03, 2017 by Vincent Pelletier
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

caucase/ca.py caucase/ca.py +3 -2

No files found.
--- a/caucase/ca.py
+++ b/caucase/ca.py
@@ -96,8 +96,9 @@ class CertificateAuthority(object):
      Items to use as Certificate Authority certificate subject.
      Supported keys are: C, O, OU, ST, CN, L, SN, GN.

-    ca_key_size (int)
+    ca_key_size (int, None)
      Number of bits to use as Certificate Authority key.
+      None to disable CA renewal.

    crt_life_time (float)
      Validity duration for every issued certificate, in days.
@@ -436,7 +437,7 @@ class CertificateAuthority(object):
    Updates self._ca_key_pairs_list .
    """
    if (
-      not self._ca_key_pairs_list or (
+      self._ca_key_size is not None and not self._ca_key_pairs_list or (
        self._ca_key_pairs_list[-1]['crt'].not_valid_after - datetime.datetime.utcnow()
      ).total_seconds() / self._crt_life_time.total_seconds() <= 2
    ) and self._ca_renewal_lock.acquire(False):