I usually setup iked with certificates generated by other tooling, but
have used "ikectl ca" once or twice when I've been in a hurry, and each
time have been bitten by the default validities. It uses 365 days for
For server certificates it's simple enough to rekey or at least re-sign
so 1 year default seems reasonable. In addition this is controlled by
an easily editable .cnf file.
Client certificates are a bit more hassle to update but like server
certificates you don't usually want hugely long validity for these.
Again they're controlled by the .cnf file, and the most common end-
user-facing setups using EAP username/password login don't need them
For CRLs and CA certificates this is hardcoded in the ikectl binary.
A year is *way* too short for root CA validity. Can we bump it? The
proposal below feels reasonable to me for ikectl but I'm open to other
suggestions (I'm fairly happy with this being hardcoded for ikectl ca
use, as long as it's a sane value .. users with strong opinions or
policies diverging from ikectl's default are likely to know enough
to be able to manage their CA with other tools).