jackson icon indicating copy to clipboard operation
jackson copied to clipboard

Published 20 hours ago • verified publisher icon boxyhq

Find a way to generate certs with validity beyond year 2049

Open deepakprabhakara opened this issue 3 years ago • 3 comments

Issue Summary

The x509 certs we generate currently have a max validity of 2049 due to limitations in the x509 library we use. Should explore how to extend this beyond 2049.

@ukrocks007 Can you please file an issue on https://github.com/PeculiarVentures/x509.

deepakprabhakara avatar Sep 21 '22 17:09 deepakprabhakara

@deepakprabhakara https://github.com/PeculiarVentures/x509/issues/36

ukrocks007 avatar Sep 22 '22 06:09 ukrocks007

@deepakprabhakara looks like the node-forge can fulfill our use case

var forge = require('node-forge');
const { X509Certificate } = require('crypto');

var pki = forge.pki;
function createPEM(date) {
    var keys = pki.rsa.generateKeyPair(2048);
    var cert = pki.createCertificate();
    cert.publicKey = keys.publicKey;
    cert.serialNumber = '01';
    cert.validity.notBefore = new Date();
    cert.validity.notAfter = date ? new Date(date) : new Date('2049-12-31T23:59:59Z');
    var attrs = [{
        name: 'commonName',
        value: 'boxyhq.com'
    }, {
        name: 'countryName',
        value: 'US'
    }, {
        shortName: 'ST',
        value: 'Virginia'
    }, {
        name: 'localityName',
        value: 'Blacksburg'
    }, {
        name: 'organizationName',
        value: 'BoxyHQ'
    }, {
        shortName: 'OU',
        value: 'Test'
    }];
    cert.setSubject(attrs);
    cert.setIssuer(attrs);
    cert.setExtensions([{
        name: 'basicConstraints',
        cA: false
    }, {
        name: 'keyUsage',
        keyCertSign: true,
        digitalSignature: true,
        nonRepudiation: true,
        keyEncipherment: true,
        dataEncipherment: true
    }, {
        name: 'extKeyUsage',
        serverAuth: true,
        clientAuth: true,
        codeSigning: true,
        emailProtection: true,
        timeStamping: true
    }, {
        name: 'nsCertType',
        client: true,
        server: true,
        email: true,
        objsign: true,
        sslCA: true,
        emailCA: true,
        objCA: true
    }, {
        name: 'subjectAltName',
        altNames: [{
            type: 6,
            value: 'http://example.org/webid#me'
        }, {
            type: 7,
            ip: '127.0.0.1'
        }]
    }, {
        name: 'subjectKeyIdentifier'
    }]);
    // self-sign certificate
    cert.sign(keys.privateKey);

    // convert a Forge certificate to PEM
    var pem = pki.certificateToPem(cert);
    return pem;
}

var pem = createPEM();

var { validTo } = new X509Certificate(pem);
console.log(validTo, validTo == 'Bad time value', new Date(validTo));
console.log(pem);

var pem = createPEM('2100-12-31T23:59:59Z');

var { validTo } = new X509Certificate(pem);
console.log(validTo, validTo == 'Bad time value', new Date(validTo));
console.log(pem);

var pem = createPEM('3000-12-31T23:59:59Z');

var { validTo } = new X509Certificate(pem);
console.log(validTo, validTo == 'Bad time value', new Date(validTo));
console.log(pem);

ukrocks007 avatar Sep 22 '22 07:09 ukrocks007

@ukrocks007 Sounds good

deepakprabhakara avatar Sep 22 '22 09:09 deepakprabhakara