Description of problem:

This was originally reported in [1]. Searching bugzilla, I also see bug 1562967 (which was closed automatically, perhaps wrongly).

See also:

1. https://support.apple.com/en-us/HT210176

"TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).

Connections to TLS servers violating these new requirements will fail and may cause network failures, apps to fail, and websites to not load in Safari in iOS 13 and macOS 10.15.

Published Date: November 03, 2019"

2. https://cabforum.org/2017/03/17/ballot-193-825-day-certificate-lifetimes/

This applies to public CAs. It seems to me that Apple's decision to apply this to any cert is stricter-than-needed right now, but I wouldn't be surprised if other browsers would start enforcing similar policies soon.

Currently, the certs we generate by our internal CA are:

- For the CA itself - 3650 days (10 years) [2]
- For entities signed by engine-setup (including https) - 1800 days [3][4]
- For hosts, signed by the engine itself (since 4.4) - 5 years [5]

Probably https cert is most urgent, and the rest might take years until software starts rejecting them.

[1] https://lists.ovirt.org/archives/list/users@ovirt.org/message/YNL6NSW6GP3IR7GECYE6DNPJA6H2X3RB/
[2] packaging/bin/pki-create-ca.sh:3:CA_DAYS="3650"
[3] packaging/bin/pki-enroll-request.sh:74:DAYS="1800"
[4] packaging/bin/pki-enroll-openssh-cert.sh:71:DAYS="1800"
[5] packaging/dbscripts/upgrade/pre_upgrade/0000_config.sql:527:select fn_db_add_config_value('VdsCertificateValidityInYears','5','general');