OpenSSL examples set CA validity to 5 years

enablebanking · Sep 3, 2024 · 2a762a0 · 2a762a0
1 parent 3187d96
commit 2a762a0
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -75,10 +75,13 @@ And CA certificate shall be generated (if necessary, replace values under `-subj
 with your values).
 
 ```bash
-openssl req -new -x509 -days 365 -key ca.key -out ca.crt \
+openssl req -new -x509 -days 1825 -key ca.key -out ca.crt \
     -subj "/C=FI/ST=Uusimaa/L=Helsinki/O=ExampleOrganisation/CN=ca.example.com"
 ```
 
+**NB:** In the example above the CA certificate validity period is set to 5 years, which
+allows to rotate server and client certificates without the need to replace CA certificate itself.
+
 ### Server
 
 Then server (broker) private key can be generated (again at the broker site).