server: reduced autogenerated cert key size to 2048 to speed up testing

server: aligned generated certificate lifespans with cli package

This resolves a break with our `certs` command when attempting to interact
with generated certificates. Fixing this will require a larger refactor
to come in a later commit.

Release justification: low, normalizing existing functionality
Release note: None

pkg/security/auto_tls_init.go

@@ -26,8 +26,8 @@ import (
 )
 
 // TODO(aaron-crl): This shared a name and purpose with the value in
-// pkg/security and should be consolidated.
-const defaultKeySize = 4096
+// pkg/cli/cert.go and should be consolidated.
+const defaultKeySize = 2048
 
 // notBeforeMargin provides a window to compensate for potential clock skew.
 const notBeforeMargin = time.Second * 30

pkg/server/auto_tls_init.go

@@ -28,13 +28,12 @@ import (
 	"github.com/cockroachdb/errors/oserror"
 )
 
-// TODO(aaron-crl): Pluck this from Config.
-// Define default CA certificate lifespan of 366 days.
-const caCertLifespan = time.Hour * 24 * 366
-
-// TODO(aaron-crl): Pluck this from Config.
-// Define default service certificate lifespan of 30 days.
-const serviceCertLifespan = time.Hour * 24 * 30
+// TODO(aaron-crl): This is an exact copy from `pkg/cli/cert.go` and should
+// be refactored to share consts.
+// We use 366 days on certificate lifetimes to at least match X years,
+// otherwise leap years risk putting us just under.
+const defaultCALifetime = 10 * 366 * 24 * time.Hour  // ten years
+const defaultCertLifetime = 5 * 366 * 24 * time.Hour // five years
 
 // Service Name Strings for autogenerated certificates.
 const serviceNameInterNode = "InterNode Service"
@@ -138,7 +137,8 @@ func (sb *ServiceCertificateBundle) loadOrCreateServiceCertificates(
 	serviceKeyPath string,
 	caCertPath string,
 	caKeyPath string,
-	initLifespan time.Duration,
+	serviceCertLifespan time.Duration,
+	caCertLifespan time.Duration,
 	serviceName string,
 	hostnames []string,
 ) error {
@@ -176,7 +176,7 @@ func (sb *ServiceCertificateBundle) loadOrCreateServiceCertificates(
 		}
 	} else if oserror.IsNotExist(err) {
 		// CA cert does not yet exist, create it and its key.
-		err = sb.createServiceCA(caCertPath, caKeyPath, initLifespan, serviceName)
+		err = sb.createServiceCA(caCertPath, caKeyPath, caCertLifespan, serviceName)
 		if err != nil {
 			return errors.Wrap(
 				err, "failed to create Service CA",
@@ -187,7 +187,7 @@ func (sb *ServiceCertificateBundle) loadOrCreateServiceCertificates(
 	// CA cert and key should now be loaded, create service cert and key.
 	//var hostCert, hostKey []byte
 	sb.HostCertificate, sb.HostKey, err = security.CreateServiceCertAndKey(
-		initLifespan,
+		serviceCertLifespan,
 		serviceName,
 		hostnames,
 		sb.CACertificate,
@@ -313,7 +313,8 @@ func (b *CertificateBundle) InitializeFromConfig(c base.Config) error {
 		cl.NodeKeyPath(),
 		cl.CACertPath(),
 		cl.CAKeyPath(),
-		serviceCertLifespan,
+		defaultCertLifetime,
+		defaultCALifetime,
 		serviceNameInterNode,
 		[]string{c.Addr, c.AdvertiseAddr},
 	)
@@ -323,12 +324,10 @@ func (b *CertificateBundle) InitializeFromConfig(c base.Config) error {
 	}
 
 	// Initialize User auth certificates.
-	// TODO(aaron-crl): Double check that we want to do this. It seems
-	// like this is covered by the interface certificates?
 	err = b.UserAuth.loadOrCreateUserAuthCACertAndKey(
 		cl.ClientCACertPath(),
 		cl.ClientCAKeyPath(),
-		caCertLifespan,
+		defaultCALifetime,
 		serviceNameUserAuth,
 	)
 	if err != nil {
@@ -342,7 +341,8 @@ func (b *CertificateBundle) InitializeFromConfig(c base.Config) error {
 		cl.SQLServiceKeyPath(),
 		cl.SQLServiceCACertPath(),
 		cl.SQLServiceCAKeyPath(),
-		serviceCertLifespan,
+		defaultCertLifetime,
+		defaultCALifetime,
 		serviceNameSQL,
 		// TODO(aaron-crl): Add RPC variable to config or SplitSQLAddr.
 		[]string{c.SQLAddr, c.SQLAdvertiseAddr},
@@ -358,7 +358,8 @@ func (b *CertificateBundle) InitializeFromConfig(c base.Config) error {
 		cl.RPCServiceKeyPath(),
 		cl.RPCServiceCACertPath(),
 		cl.RPCServiceCAKeyPath(),
-		serviceCertLifespan,
+		defaultCertLifetime,
+		defaultCALifetime,
 		serviceNameRPC,
 		// TODO(aaron-crl): Add RPC variable to config.
 		[]string{c.SQLAddr, c.SQLAdvertiseAddr},
@@ -374,7 +375,8 @@ func (b *CertificateBundle) InitializeFromConfig(c base.Config) error {
 		cl.UIKeyPath(),
 		cl.UICACertPath(),
 		cl.UICAKeyPath(),
-		serviceCertLifespan,
+		defaultCertLifetime,
+		defaultCALifetime,
 		serviceNameUI,
 		[]string{c.HTTPAddr, c.HTTPAdvertiseAddr},
 	)
@@ -473,7 +475,7 @@ func (sb *ServiceCertificateBundle) loadCACertAndKeyIfExists(
 	certPath string, keyPath string,
 ) error {
 	// TODO(aaron-crl): Possibly add a warning to the log that a CA was not
-	// found
+	// found.
 	err := sb.loadCACertAndKey(certPath, keyPath)
 	if oserror.IsNotExist(err) {
 		return nil
@@ -549,7 +551,7 @@ func rotateGeneratedCerts(c base.Config) error {
 		err = b.InterNode.rotateServiceCert(
 			cl.NodeCertPath(),
 			cl.NodeKeyPath(),
-			serviceCertLifespan,
+			defaultCertLifetime,
 			serviceNameInterNode,
 			[]string{c.HTTPAddr, c.HTTPAdvertiseAddr},
 		)
@@ -565,7 +567,7 @@ func rotateGeneratedCerts(c base.Config) error {
 		err = b.SQLService.rotateServiceCert(
 			cl.SQLServiceCertPath(),
 			cl.SQLServiceKeyPath(),
-			serviceCertLifespan,
+			defaultCertLifetime,
 			serviceNameSQL,
 			[]string{c.HTTPAddr, c.HTTPAdvertiseAddr},
 		)
@@ -579,7 +581,7 @@ func rotateGeneratedCerts(c base.Config) error {
 		err = b.RPCService.rotateServiceCert(
 			cl.RPCServiceCertPath(),
 			cl.RPCServiceKeyPath(),
-			serviceCertLifespan,
+			defaultCertLifetime,
 			serviceNameRPC,
 			[]string{c.HTTPAddr, c.HTTPAdvertiseAddr},
 		)
@@ -593,7 +595,7 @@ func rotateGeneratedCerts(c base.Config) error {
 		err = b.AdminUIService.rotateServiceCert(
 			cl.UICertPath(),
 			cl.UIKeyPath(),
-			serviceCertLifespan,
+			defaultCertLifetime,
 			serviceNameUI,
 			[]string{c.HTTPAddr, c.HTTPAdvertiseAddr},
 		)