CSR expirationSeconds cannot be extended beyond 30 days in RHOCP4

Solution Verified - Updated -

Issue

  • A request for an x509 user certificate with a duration of 90 days expiry does not work.
  • The CSR appears to be approved successfully for 90 days
$ oc get csr auth2kube-access
NAME               AGE   SIGNERNAME                            REQUESTOR    REQUESTEDDURATION   CONDITION
auth2kube-access   37m   kubernetes.io/kube-apiserver-client   kube:admin   90d                 Approved,Issued
  • However, the expiration of the same CSR is defaulting to a span of 28 days.
$ oc get csr auth2kube-access -o jsonpath='{.status.certificate}' | base64 -d > csr.crt
$ openssl x509 -in csr.crt -noout -text|grep No

            Not Before: Jan  5 13:39:44 2023 GMT
            Not After : Feb  2 13:27:32 2023 GMT
  • How can we have a CSR duration longer than 28 days?

Environment

  • Red Hat OpenShift Container Platform 4.11

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content