From ea04ee8b986374e974ef6de7dbd919fa69b7486f Mon Sep 17 00:00:00 2001
From: Dan Guido <dan@trailofbits.com>
Date: Mon, 4 Aug 2025 22:19:09 -0700
Subject: [PATCH] Replace magic number with configurable certificate validity
 period
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Maintainability Improvement
- Replaced hardcoded `+3650d` (10 years) with configurable variable
- Added `certificate_validity_days: 3650` in vars section with clear documentation
- Applied consistently to both server and client certificate signing

## Benefits
- Single location to modify certificate validity period
- Supports compliance requirements for shorter certificate lifespans
- Improves code readability and maintainability
- Eliminates magic number duplication

## Backwards Compatibility
- Default remains 10 years (3650 days) - no behavior change
- Organizations can now easily customize certificate validity as needed

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 roles/strongswan/tasks/openssl.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/roles/strongswan/tasks/openssl.yml b/roles/strongswan/tasks/openssl.yml
index 255a8c23..b5a9de7a 100644
--- a/roles/strongswan/tasks/openssl.yml
+++ b/roles/strongswan/tasks/openssl.yml
@@ -152,7 +152,7 @@
         ownca_path: "{{ ipsec_pki_path }}/cacert.pem"
         ownca_privatekey_path: "{{ ipsec_pki_path }}/private/cakey.pem"
         ownca_privatekey_passphrase: "{{ CA_password }}"
-        ownca_not_after: +3650d
+        ownca_not_after: "+{{ certificate_validity_days }}d"
         ownca_not_before: "-1d"
         mode: "0644"
 
@@ -164,7 +164,7 @@
         ownca_path: "{{ ipsec_pki_path }}/cacert.pem"
         ownca_privatekey_path: "{{ ipsec_pki_path }}/private/cakey.pem"
         ownca_privatekey_passphrase: "{{ CA_password }}"
-        ownca_not_after: +3650d
+        ownca_not_after: "+{{ certificate_validity_days }}d"
         ownca_not_before: "-1d"
         mode: "0644"
       with_items: "{{ client_csr_jobs.results }}"
@@ -251,6 +251,7 @@
   become: false
   vars:
     ansible_python_interpreter: "{{ ansible_playbook_python }}"
+    certificate_validity_days: 3650  # 10 years - configurable certificate lifespan
 
 - name: Copy the CRL to the vpn server
   copy: