Add support for NotBefore and NotAfter to initca#1270
Open
mmlb wants to merge 2 commits intocloudflare:masterfrom
Open
Add support for NotBefore and NotAfter to initca#1270mmlb wants to merge 2 commits intocloudflare:masterfrom
mmlb wants to merge 2 commits intocloudflare:masterfrom
Conversation
Author
|
FYI here's an example of the weird behavior, I would love it if someone could point out if I'm doing something wrong or if this is a cfssl bug. I tried setting #!/usr/bin/env bash
set -o errexit -o nounset -o pipefail
rm -f ./*.pem ./*.csr ca.json ca-config.json server-csr.json
ssue=$(date +%s)
backdate=$((ssue - 10))
echo ssue=$ssue backdate=$backdate diff=$((ssue-backdate))s
expiry=$(date --date='today + 5 year' +'%s')
sed \
-e "s|@FACILITY@|$FACILITY|g" \
-e "s|@BACKDATE@|${backdate}s|g" \
-e "s|@EXPIRY@|${expiry}s|g" \
<ca.in.json >ca.json
cfssl gencert -initca ca.json 2>/dev/null |
jq -r .cert |
openssl x509 -noout -text |
grep 'Not Before'
exitca.in.json looks like: {
"CN": "Autogenerated CA",
"ca": {
"backdate": "@BACKDATE@",
"expiry": "@EXPIRY@"
},
"names": [
{
"L": "@FACILITY@"
}
]
}and here's what I'm seeing, note how the the pre-unix-epoch ts only goes up to ...:40 and then jumps back up to 1970-01-01... (hmm now that I think about it maybe it has to do with GMT != UTC maybe?) $ for i in $(seq 70); do FACILITY=mmlb bash gencerts.sh; sleep 1; done
ssue=1674864355 backdate=1674864345 diff=10s
Not Before: Jan 1 00:00:15 1970 GMT
ssue=1674864356 backdate=1674864346 diff=10s
Not Before: Jan 1 00:00:14 1970 GMT
ssue=1674864357 backdate=1674864347 diff=10s
Not Before: Jan 1 00:00:13 1970 GMT
ssue=1674864358 backdate=1674864348 diff=10s
Not Before: Jan 1 00:00:12 1970 GMT
ssue=1674864359 backdate=1674864349 diff=10s
Not Before: Jan 1 00:00:11 1970 GMT
ssue=1674864360 backdate=1674864350 diff=10s
Not Before: Jan 1 00:00:10 1970 GMT
ssue=1674864362 backdate=1674864352 diff=10s
Not Before: Jan 1 00:00:08 1970 GMT
ssue=1674864363 backdate=1674864353 diff=10s
Not Before: Jan 1 00:00:07 1970 GMT
ssue=1674864364 backdate=1674864354 diff=10s
Not Before: Jan 1 00:00:06 1970 GMT
ssue=1674864365 backdate=1674864355 diff=10s
Not Before: Jan 1 00:00:05 1970 GMT
ssue=1674864366 backdate=1674864356 diff=10s
Not Before: Jan 1 00:00:04 1970 GMT
ssue=1674864367 backdate=1674864357 diff=10s
Not Before: Jan 1 00:00:03 1970 GMT
ssue=1674864368 backdate=1674864358 diff=10s
Not Before: Jan 1 00:00:02 1970 GMT
ssue=1674864369 backdate=1674864359 diff=10s
Not Before: Jan 1 00:00:01 1970 GMT
ssue=1674864370 backdate=1674864360 diff=10s
Not Before: Jan 1 00:00:00 1970 GMT
ssue=1674864371 backdate=1674864361 diff=10s
Not Before: Dec 31 23:59:59 1969 GMT
ssue=1674864372 backdate=1674864362 diff=10s
Not Before: Dec 31 23:59:58 1969 GMT
ssue=1674864373 backdate=1674864363 diff=10s
Not Before: Dec 31 23:59:57 1969 GMT
ssue=1674864374 backdate=1674864364 diff=10s
Not Before: Dec 31 23:59:56 1969 GMT
ssue=1674864375 backdate=1674864365 diff=10s
Not Before: Dec 31 23:59:55 1969 GMT
ssue=1674864376 backdate=1674864366 diff=10s
Not Before: Dec 31 23:59:54 1969 GMT
ssue=1674864377 backdate=1674864367 diff=10s
Not Before: Dec 31 23:59:53 1969 GMT
ssue=1674864378 backdate=1674864368 diff=10s
Not Before: Dec 31 23:59:52 1969 GMT
ssue=1674864379 backdate=1674864369 diff=10s
Not Before: Dec 31 23:59:51 1969 GMT
ssue=1674864380 backdate=1674864370 diff=10s
Not Before: Dec 31 23:59:50 1969 GMT
ssue=1674864381 backdate=1674864371 diff=10s
Not Before: Dec 31 23:59:49 1969 GMT
ssue=1674864382 backdate=1674864372 diff=10s
Not Before: Dec 31 23:59:48 1969 GMT
ssue=1674864383 backdate=1674864373 diff=10s
Not Before: Dec 31 23:59:47 1969 GMT
ssue=1674864384 backdate=1674864374 diff=10s
Not Before: Dec 31 23:59:46 1969 GMT
ssue=1674864386 backdate=1674864376 diff=10s
Not Before: Dec 31 23:59:44 1969 GMT
ssue=1674864387 backdate=1674864377 diff=10s
Not Before: Dec 31 23:59:43 1969 GMT
ssue=1674864388 backdate=1674864378 diff=10s
Not Before: Dec 31 23:59:42 1969 GMT
ssue=1674864389 backdate=1674864379 diff=10s
Not Before: Dec 31 23:59:41 1969 GMT
ssue=1674864390 backdate=1674864380 diff=10s
Not Before: Jan 1 00:00:40 1970 GMT
ssue=1674864391 backdate=1674864381 diff=10s
Not Before: Jan 1 00:00:39 1970 GMT
ssue=1674864392 backdate=1674864382 diff=10s
Not Before: Jan 1 00:00:38 1970 GMT
ssue=1674864393 backdate=1674864383 diff=10s
Not Before: Jan 1 00:00:37 1970 GMT
ssue=1674864394 backdate=1674864384 diff=10s
Not Before: Jan 1 00:00:36 1970 GMT
ssue=1674864395 backdate=1674864385 diff=10s
Not Before: Jan 1 00:00:35 1970 GMT
ssue=1674864396 backdate=1674864386 diff=10s
Not Before: Jan 1 00:00:34 1970 GMT
ssue=1674864397 backdate=1674864387 diff=10s
Not Before: Jan 1 00:00:33 1970 GMT
ssue=1674864398 backdate=1674864388 diff=10s
Not Before: Jan 1 00:00:32 1970 GMT
ssue=1674864399 backdate=1674864389 diff=10s
Not Before: Jan 1 00:00:31 1970 GMT
ssue=1674864400 backdate=1674864390 diff=10s
Not Before: Jan 1 00:00:30 1970 GMT
ssue=1674864401 backdate=1674864391 diff=10s
Not Before: Jan 1 00:00:29 1970 GMT
ssue=1674864402 backdate=1674864392 diff=10s
Not Before: Jan 1 00:00:28 1970 GMT
ssue=1674864403 backdate=1674864393 diff=10s
Not Before: Jan 1 00:00:27 1970 GMT
ssue=1674864404 backdate=1674864394 diff=10s
Not Before: Jan 1 00:00:26 1970 GMT
ssue=1674864405 backdate=1674864395 diff=10s
Not Before: Jan 1 00:00:25 1970 GMT
ssue=1674864406 backdate=1674864396 diff=10s
Not Before: Jan 1 00:00:24 1970 GMT
ssue=1674864407 backdate=1674864397 diff=10s
Not Before: Jan 1 00:00:23 1970 GMT
ssue=1674864408 backdate=1674864398 diff=10s
Not Before: Jan 1 00:00:22 1970 GMT
ssue=1674864410 backdate=1674864400 diff=10s
Not Before: Jan 1 00:00:20 1970 GMT
ssue=1674864411 backdate=1674864401 diff=10s
Not Before: Jan 1 00:00:19 1970 GMT
ssue=1674864412 backdate=1674864402 diff=10s
Not Before: Jan 1 00:00:18 1970 GMT
ssue=1674864413 backdate=1674864403 diff=10s
Not Before: Jan 1 00:00:17 1970 GMT
ssue=1674864414 backdate=1674864404 diff=10s
Not Before: Jan 1 00:00:16 1970 GMT
ssue=1674864415 backdate=1674864405 diff=10s
Not Before: Jan 1 00:00:15 1970 GMT
ssue=1674864416 backdate=1674864406 diff=10s
Not Before: Jan 1 00:00:14 1970 GMT
ssue=1674864417 backdate=1674864407 diff=10s
Not Before: Jan 1 00:00:13 1970 GMT
ssue=1674864418 backdate=1674864408 diff=10s
Not Before: Jan 1 00:00:12 1970 GMT
ssue=1674864419 backdate=1674864409 diff=10s
Not Before: Jan 1 00:00:11 1970 GMT
ssue=1674864420 backdate=1674864410 diff=10s
Not Before: Jan 1 00:00:10 1970 GMT
ssue=1674864421 backdate=1674864411 diff=10s
Not Before: Jan 1 00:00:09 1970 GMT
ssue=1674864422 backdate=1674864412 diff=10s
Not Before: Jan 1 00:00:08 1970 GMT
ssue=1674864423 backdate=1674864413 diff=10s
Not Before: Jan 1 00:00:07 1970 GMT
ssue=1674864424 backdate=1674864414 diff=10s
Not Before: Jan 1 00:00:06 1970 GMT
ssue=1674864425 backdate=1674864415 diff=10s
Not Before: Jan 1 00:00:05 1970 GMT
ssue=1674864426 backdate=1674864416 diff=10s
Not Before: Jan 1 00:00:04 1970 GMT
ssue=1674864427 backdate=1674864417 diff=10s
Not Before: Jan 1 00:00:03 1970 GMT |
Author
|
Back to the actual PR though... Please let me know how this is looking and what you'd like to see added/changed. Thanks! |
Setting these was only previously possible with backdate and expiry but could be a pain to figure out the tdeltas correctly. Sometimes its just easier to explicitly give the timestamps.
This way users can pass these in so the csr and certificate end up with the wanted dates.
mmlb
force-pushed
the
initca-support-not_before-not_after
branch
from
063bfd2 to
5fd4c43
Compare
Author
|
hey @nickysemenza wanted to bring this to your 👀 and get some feedback hopefully. Good idea/bad idea... |
Author
|
ping @nickysemenza |
|
Thanks! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
So I was trying to get a cert with NotBefore to be somewhere around right after the Unix Epoch for $reasons and could not come up on a way to get what I wanted with backdate. So I thought it'd be nicer to just add support for NotBefore and NotAfter directly like other operations do.
Fixes: #1038
Fixes: #910