Skip to content

Add support for NotBefore and NotAfter to initca #1270

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add support for NotBefore and NotAfter to initca #1270

wants to merge 2 commits into from

Conversation

mmlb
Copy link

@mmlb mmlb commented Jan 27, 2023
edited
Loading

So I was trying to get a cert with NotBefore to be somewhere around right after the Unix Epoch for $reasons and could not come up on a way to get what I wanted with backdate. So I thought it'd be nicer to just add support for NotBefore and NotAfter directly like other operations do.

Fixes: #1038
Fixes: #910

@mmlb
Copy link
Author

mmlb commented Jan 28, 2023

FYI here's an example of the weird behavior, I would love it if someone could point out if I'm doing something wrong or if this is a cfssl bug.

I tried setting backdate and noticed that the calculations weren't very stable. Just to make it easy I tried something like:

#!/usr/bin/env bash

set -o errexit -o nounset -o pipefail
rm -f ./*.pem ./*.csr ca.json ca-config.json server-csr.json

ssue=$(date +%s)
backdate=$((ssue - 10))
echo ssue=$ssue backdate=$backdate diff=$((ssue-backdate))s
expiry=$(date --date='today + 5 year' +'%s')
sed \
	-e "s|@FACILITY@|$FACILITY|g" \
	-e "s|@BACKDATE@|${backdate}s|g" \
	-e "s|@EXPIRY@|${expiry}s|g" \
	<ca.in.json >ca.json
cfssl gencert -initca ca.json 2>/dev/null |
	jq -r .cert |
	openssl x509 -noout -text |
	grep 'Not Before'
exit

ca.in.json looks like:

{
  "CN": "Autogenerated CA",
  "ca": {
    "backdate": "@BACKDATE@",
    "expiry": "@EXPIRY@"
  },
  "names": [
    {
      "L": "@FACILITY@"
    }
  ]
}

and here's what I'm seeing, note how the the pre-unix-epoch ts only goes up to ...:40 and then jumps back up to 1970-01-01... (hmm now that I think about it maybe it has to do with GMT != UTC maybe?)

$ for i in $(seq 70); do FACILITY=mmlb bash gencerts.sh; sleep 1; done
ssue=1674864355 backdate=1674864345 diff=10s
            Not Before: Jan  1 00:00:15 1970 GMT
ssue=1674864356 backdate=1674864346 diff=10s
            Not Before: Jan  1 00:00:14 1970 GMT
ssue=1674864357 backdate=1674864347 diff=10s
            Not Before: Jan  1 00:00:13 1970 GMT
ssue=1674864358 backdate=1674864348 diff=10s
            Not Before: Jan  1 00:00:12 1970 GMT
ssue=1674864359 backdate=1674864349 diff=10s
            Not Before: Jan  1 00:00:11 1970 GMT
ssue=1674864360 backdate=1674864350 diff=10s
            Not Before: Jan  1 00:00:10 1970 GMT
ssue=1674864362 backdate=1674864352 diff=10s
            Not Before: Jan  1 00:00:08 1970 GMT
ssue=1674864363 backdate=1674864353 diff=10s
            Not Before: Jan  1 00:00:07 1970 GMT
ssue=1674864364 backdate=1674864354 diff=10s
            Not Before: Jan  1 00:00:06 1970 GMT
ssue=1674864365 backdate=1674864355 diff=10s
            Not Before: Jan  1 00:00:05 1970 GMT
ssue=1674864366 backdate=1674864356 diff=10s
            Not Before: Jan  1 00:00:04 1970 GMT
ssue=1674864367 backdate=1674864357 diff=10s
            Not Before: Jan  1 00:00:03 1970 GMT
ssue=1674864368 backdate=1674864358 diff=10s
            Not Before: Jan  1 00:00:02 1970 GMT
ssue=1674864369 backdate=1674864359 diff=10s
            Not Before: Jan  1 00:00:01 1970 GMT
ssue=1674864370 backdate=1674864360 diff=10s
            Not Before: Jan  1 00:00:00 1970 GMT
ssue=1674864371 backdate=1674864361 diff=10s
            Not Before: Dec 31 23:59:59 1969 GMT
ssue=1674864372 backdate=1674864362 diff=10s
            Not Before: Dec 31 23:59:58 1969 GMT
ssue=1674864373 backdate=1674864363 diff=10s
            Not Before: Dec 31 23:59:57 1969 GMT
ssue=1674864374 backdate=1674864364 diff=10s
            Not Before: Dec 31 23:59:56 1969 GMT
ssue=1674864375 backdate=1674864365 diff=10s
            Not Before: Dec 31 23:59:55 1969 GMT
ssue=1674864376 backdate=1674864366 diff=10s
            Not Before: Dec 31 23:59:54 1969 GMT
ssue=1674864377 backdate=1674864367 diff=10s
            Not Before: Dec 31 23:59:53 1969 GMT
ssue=1674864378 backdate=1674864368 diff=10s
            Not Before: Dec 31 23:59:52 1969 GMT
ssue=1674864379 backdate=1674864369 diff=10s
            Not Before: Dec 31 23:59:51 1969 GMT
ssue=1674864380 backdate=1674864370 diff=10s
            Not Before: Dec 31 23:59:50 1969 GMT
ssue=1674864381 backdate=1674864371 diff=10s
            Not Before: Dec 31 23:59:49 1969 GMT
ssue=1674864382 backdate=1674864372 diff=10s
            Not Before: Dec 31 23:59:48 1969 GMT
ssue=1674864383 backdate=1674864373 diff=10s
            Not Before: Dec 31 23:59:47 1969 GMT
ssue=1674864384 backdate=1674864374 diff=10s
            Not Before: Dec 31 23:59:46 1969 GMT
ssue=1674864386 backdate=1674864376 diff=10s
            Not Before: Dec 31 23:59:44 1969 GMT
ssue=1674864387 backdate=1674864377 diff=10s
            Not Before: Dec 31 23:59:43 1969 GMT
ssue=1674864388 backdate=1674864378 diff=10s
            Not Before: Dec 31 23:59:42 1969 GMT
ssue=1674864389 backdate=1674864379 diff=10s
            Not Before: Dec 31 23:59:41 1969 GMT
ssue=1674864390 backdate=1674864380 diff=10s
            Not Before: Jan  1 00:00:40 1970 GMT
ssue=1674864391 backdate=1674864381 diff=10s
            Not Before: Jan  1 00:00:39 1970 GMT
ssue=1674864392 backdate=1674864382 diff=10s
            Not Before: Jan  1 00:00:38 1970 GMT
ssue=1674864393 backdate=1674864383 diff=10s
            Not Before: Jan  1 00:00:37 1970 GMT
ssue=1674864394 backdate=1674864384 diff=10s
            Not Before: Jan  1 00:00:36 1970 GMT
ssue=1674864395 backdate=1674864385 diff=10s
            Not Before: Jan  1 00:00:35 1970 GMT
ssue=1674864396 backdate=1674864386 diff=10s
            Not Before: Jan  1 00:00:34 1970 GMT
ssue=1674864397 backdate=1674864387 diff=10s
            Not Before: Jan  1 00:00:33 1970 GMT
ssue=1674864398 backdate=1674864388 diff=10s
            Not Before: Jan  1 00:00:32 1970 GMT
ssue=1674864399 backdate=1674864389 diff=10s
            Not Before: Jan  1 00:00:31 1970 GMT
ssue=1674864400 backdate=1674864390 diff=10s
            Not Before: Jan  1 00:00:30 1970 GMT
ssue=1674864401 backdate=1674864391 diff=10s
            Not Before: Jan  1 00:00:29 1970 GMT
ssue=1674864402 backdate=1674864392 diff=10s
            Not Before: Jan  1 00:00:28 1970 GMT
ssue=1674864403 backdate=1674864393 diff=10s
            Not Before: Jan  1 00:00:27 1970 GMT
ssue=1674864404 backdate=1674864394 diff=10s
            Not Before: Jan  1 00:00:26 1970 GMT
ssue=1674864405 backdate=1674864395 diff=10s
            Not Before: Jan  1 00:00:25 1970 GMT
ssue=1674864406 backdate=1674864396 diff=10s
            Not Before: Jan  1 00:00:24 1970 GMT
ssue=1674864407 backdate=1674864397 diff=10s
            Not Before: Jan  1 00:00:23 1970 GMT
ssue=1674864408 backdate=1674864398 diff=10s
            Not Before: Jan  1 00:00:22 1970 GMT
ssue=1674864410 backdate=1674864400 diff=10s
            Not Before: Jan  1 00:00:20 1970 GMT
ssue=1674864411 backdate=1674864401 diff=10s
            Not Before: Jan  1 00:00:19 1970 GMT
ssue=1674864412 backdate=1674864402 diff=10s
            Not Before: Jan  1 00:00:18 1970 GMT
ssue=1674864413 backdate=1674864403 diff=10s
            Not Before: Jan  1 00:00:17 1970 GMT
ssue=1674864414 backdate=1674864404 diff=10s
            Not Before: Jan  1 00:00:16 1970 GMT
ssue=1674864415 backdate=1674864405 diff=10s
            Not Before: Jan  1 00:00:15 1970 GMT
ssue=1674864416 backdate=1674864406 diff=10s
            Not Before: Jan  1 00:00:14 1970 GMT
ssue=1674864417 backdate=1674864407 diff=10s
            Not Before: Jan  1 00:00:13 1970 GMT
ssue=1674864418 backdate=1674864408 diff=10s
            Not Before: Jan  1 00:00:12 1970 GMT
ssue=1674864419 backdate=1674864409 diff=10s
            Not Before: Jan  1 00:00:11 1970 GMT
ssue=1674864420 backdate=1674864410 diff=10s
            Not Before: Jan  1 00:00:10 1970 GMT
ssue=1674864421 backdate=1674864411 diff=10s
            Not Before: Jan  1 00:00:09 1970 GMT
ssue=1674864422 backdate=1674864412 diff=10s
            Not Before: Jan  1 00:00:08 1970 GMT
ssue=1674864423 backdate=1674864413 diff=10s
            Not Before: Jan  1 00:00:07 1970 GMT
ssue=1674864424 backdate=1674864414 diff=10s
            Not Before: Jan  1 00:00:06 1970 GMT
ssue=1674864425 backdate=1674864415 diff=10s
            Not Before: Jan  1 00:00:05 1970 GMT
ssue=1674864426 backdate=1674864416 diff=10s
            Not Before: Jan  1 00:00:04 1970 GMT
ssue=1674864427 backdate=1674864417 diff=10s
            Not Before: Jan  1 00:00:03 1970 GMT

@mmlb
Copy link
Author

mmlb commented Jan 28, 2023

Back to the actual PR though... Please let me know how this is looking and what you'd like to see added/changed.

Thanks!

@mmlb mmlb marked this pull request as ready for review January 28, 2023 00:12
mmlb added 2 commits January 30, 2023 11:45
@mmlb
csr: Add NotBefore & NotAfter to CAConfig
bdadff2 
Setting these was only previously possible with backdate and expiry but could
be a pain to figure out the tdeltas correctly. Sometimes its just easier to
explicitly give the timestamps.
@mmlb
initca: Fill out NotBefore/NotAfter ts from the cert request
5fd4c43 
This way users can pass these in so the csr and certificate end up with the
wanted dates.
@mmlb mmlb force-pushed the initca-support-not_before-not_after branch from 063bfd2 to 5fd4c43 Compare January 30, 2023 16:48
@mmlb
Copy link
Author

mmlb commented Feb 1, 2023

hey @nickysemenza wanted to bring this to your 👀 and get some feedback hopefully. Good idea/bad idea...

@mmlb
Copy link
Author

mmlb commented Jul 19, 2023

ping @nickysemenza

@JoeLeeone
Copy link

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@mmlb @JoeLeeone