Summary
The default PKI generation creates certificates with a relatively short validity period. If those certificates expire and are not regenerated before expiration, BearSSL crashes instead of handling the expired certificate gracefully.
For an embedded device such as DagShell, frequent certificate rotation provides little practical value and creates an unnecessary failure point.
Expected Behavior
The generated PKI should remain valid long enough that normal users are unlikely to encounter certificate expiration during the expected life of the device.
Current Behavior
- Default certificates have a short validity period.
- If the certificates expire, BearSSL crashes.
- Users must manually regenerate and replace certificates to recover.
Proposed Solution
Increase the default certificate validity to 10 years (3650 days) for both the Root CA and the server certificate.
Example:
.not_valid_after(
datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=3650)
)
Rationale
- DagShell is a self-contained embedded device.
- The certificates are used only to establish trust between the device and the client.
- There is little benefit to using 30, 60, or 90 day certificates in this environment.
- A 10 year validity period greatly reduces maintenance while avoiding unexpected failures.
- This follows the common approach used by many embedded and appliance-style products.
Additional Notes
If certificate expiration is still encountered, BearSSL should ideally return a recoverable error rather than crashing. Extending the default validity period is a simple mitigation, while graceful handling of expired certificates would provide a more robust long-term solution.
Summary
The default PKI generation creates certificates with a relatively short validity period. If those certificates expire and are not regenerated before expiration, BearSSL crashes instead of handling the expired certificate gracefully.
For an embedded device such as DagShell, frequent certificate rotation provides little practical value and creates an unnecessary failure point.
Expected Behavior
The generated PKI should remain valid long enough that normal users are unlikely to encounter certificate expiration during the expected life of the device.
Current Behavior
Proposed Solution
Increase the default certificate validity to 10 years (3650 days) for both the Root CA and the server certificate.
Example:
Rationale
Additional Notes
If certificate expiration is still encountered, BearSSL should ideally return a recoverable error rather than crashing. Extending the default validity period is a simple mitigation, while graceful handling of expired certificates would provide a more robust long-term solution.