From bdadff25b475ce9306eb47f316381543775f0107 Mon Sep 17 00:00:00 2001
From: Manuel Mendez <github@i.m.mmlb.dev>
Date: Mon, 30 Jan 2023 11:45:10 -0500
Subject: [PATCH 1/2] csr: Add NotBefore & NotAfter to CAConfig

Setting these was only previously possible with backdate and expiry but could
be a pain to figure out the tdeltas correctly. Sometimes its just easier to
explicitly give the timestamps.
---
 csr/csr.go | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/csr/csr.go b/csr/csr.go
index 0ca250994..a39551815 100644
--- a/csr/csr.go
+++ b/csr/csr.go
@@ -18,6 +18,7 @@ import (
 	"net/url"
 	"strconv"
 	"strings"
+	"time"
 
 	cferr "github.com/cloudflare/cfssl/errors"
 	"github.com/cloudflare/cfssl/helpers"
@@ -127,10 +128,12 @@ func (kr *KeyRequest) SigAlgo() x509.SignatureAlgorithm {
 
 // CAConfig is a section used in the requests initialising a new CA.
 type CAConfig struct {
-	PathLength  int    `json:"pathlen" yaml:"pathlen"`
-	PathLenZero bool   `json:"pathlenzero" yaml:"pathlenzero"`
-	Expiry      string `json:"expiry" yaml:"expiry"`
-	Backdate    string `json:"backdate" yaml:"backdate"`
+	PathLength  int       `json:"pathlen" yaml:"pathlen"`
+	PathLenZero bool      `json:"pathlenzero" yaml:"pathlenzero"`
+	Expiry      string    `json:"expiry" yaml:"expiry"`
+	Backdate    string    `json:"backdate" yaml:"backdate"`
+	NotBefore   time.Time `json:"not_before" yaml:"not_before"`
+	NotAfter    time.Time `json:"not_after" yaml:"not_after"`
 }
 
 // A CertificateRequest encapsulates the API interface to the

From 5fd4c4318c18c5a902031652f7b07859ae2e8a72 Mon Sep 17 00:00:00 2001
From: Manuel Mendez <github@i.m.mmlb.dev>
Date: Mon, 30 Jan 2023 11:47:10 -0500
Subject: [PATCH 2/2] initca: Fill out NotBefore/NotAfter ts from the cert
 request

This way users can pass these in so the csr and certificate end up with the
wanted dates.
---
 initca/initca.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/initca/initca.go b/initca/initca.go
index 40a608502..db5bfa904 100644
--- a/initca/initca.go
+++ b/initca/initca.go
@@ -93,7 +93,12 @@ func New(req *csr.CertificateRequest) (cert, csrPEM, key []byte, err error) {
 		return
 	}
 
-	signReq := signer.SignRequest{Hosts: req.Hosts, Request: string(csrPEM)}
+	signReq := signer.SignRequest{
+		Hosts:     req.Hosts,
+		Request:   string(csrPEM),
+		NotBefore: req.CA.NotBefore,
+		NotAfter:  req.CA.NotAfter,
+	}
 	cert, err = s.Sign(signReq)
 
 	return