cfssl: new CA certificates with an expiry less than or equal to 240s are always expired. #1064

bashims · 2019-11-28T18:59:43Z

I am not entirely sure what is going on here, but it seems that there is no way to generate a valid CA having an expiry less than 5 minutes. The generated CA is either a <= 59 seconds away from expiry or is in fact expired. Is there a work around for this? Expiry handling for CA and other certs seems to be offset by 5 minutes for some reason.

./cfssl-1.4.1 version
Version: 1.4.1
Runtime: go1.12.12

JSON request:

{             
  "CN": "CA",
  "names": [
    {
      "C": "CA",
      "L": "QC",
      "O": "XYZ Inc.",
      "ST": "Montreal",
      "OU": "Infrastructure"
    }
  ],
  "CA": {
    "expiry": "240s",
    "pathlen": 0
  },
  "key": {
    "algo": "rsa",
    "size": 2048
  }
}

Example of the issue.

date; cfssl-1.4.1 gencert -initca EXP-ca-req.json 2> /dev/null | jq -r .cert|openssl x509 -text -in -|egrep 'After|Before'; date
Thu Nov 28 13:32:11 EST 2019
            Not Before: Nov 28 18:27:00 2019 GMT
            Not After : Nov 28 18:31:00 2019 GMT
Thu Nov 28 13:32:12 EST 2019

The text was updated successfully, but these errors were encountered:

nodece linked a pull request Mar 13, 2024 that will close this issue

fix: do not trim notBefore #1366

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

cfssl: new CA certificates with an expiry less than or equal to 240s are always expired. #1064

cfssl: new CA certificates with an expiry less than or equal to 240s are always expired. #1064

bashims commented Nov 28, 2019

cfssl: new CA certificates with an expiry less than or equal to 240s are always expired. #1064

cfssl: new CA certificates with an expiry less than or equal to 240s are always expired. #1064

Comments

bashims commented Nov 28, 2019