Changed ephemeral key to 30m lifespan; keys stored in /dev/shm; explicit 0600 perms; delete keys when session opens.

2026-02-03 09:17:15 +00:00
parent 667b02f0c3
commit f54cc3f09b
3 changed files with 15 additions and 2 deletions
--- a/app/apps/keys/certificates.py
+++ b/app/apps/keys/certificates.py
@@ -83,6 +83,7 @@ def _sign_public_key(
    serial: int,
    validity_days: int,
    comment: str,
+    validity_override: str | None = None,
 ) -> str:
    if not ca_private_key or not ca_public_key:
        raise RuntimeError("CA material missing")
@@ -102,7 +103,7 @@ def _sign_public_key(
            "-n",
            principal,
            "-V",
-            f"+{validity_days}d",
+            validity_override or f"+{validity_days}d",
            "-z",
            str(serial),
            pubkey_path,