Skip to content

Extend Default PKI Certificate Validity to Prevent BearSSL Crashes #5

Description

@simeononsecurity

Summary

The default PKI generation creates certificates with a relatively short validity period. If those certificates expire and are not regenerated before expiration, BearSSL crashes instead of handling the expired certificate gracefully.

For an embedded device such as DagShell, frequent certificate rotation provides little practical value and creates an unnecessary failure point.

Expected Behavior

The generated PKI should remain valid long enough that normal users are unlikely to encounter certificate expiration during the expected life of the device.

Current Behavior

  • Default certificates have a short validity period.
  • If the certificates expire, BearSSL crashes.
  • Users must manually regenerate and replace certificates to recover.

Proposed Solution

Increase the default certificate validity to 10 years (3650 days) for both the Root CA and the server certificate.

Example:

.not_valid_after(
    datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=3650)
)

Rationale

  • DagShell is a self-contained embedded device.
  • The certificates are used only to establish trust between the device and the client.
  • There is little benefit to using 30, 60, or 90 day certificates in this environment.
  • A 10 year validity period greatly reduces maintenance while avoiding unexpected failures.
  • This follows the common approach used by many embedded and appliance-style products.

Additional Notes

If certificate expiration is still encountered, BearSSL should ideally return a recoverable error rather than crashing. Extending the default validity period is a simple mitigation, while graceful handling of expired certificates would provide a more robust long-term solution.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions