cfssl icon indicating copy to clipboard operation
cfssl copied to clipboard

Published 20 hours ago verified publisher icon cloudflare

Setting expiry for CA certificate

Open mckenziec opened this issue 6 years ago • 7 comments

version: 1.2 os: Centos 7.5

Hi. I know this has probably been asked before but I can't change the 5 year default CA cert expiry no matter what I try. Here's my ca-config.json:

{
    "signing": {
        "default": {
            "expiry": "143800h"
        },
        "profiles": {
            "ca": {
                "usages": [
                    "cert sign",
                    "crl sign"
                ],
                "expiry": "143800h"
            }
        }
    }
}

When I generate the ca cert the expiry is 5 years:

$ echo "{\"CN\":\"test\",\"key\":{\"algo\":\"rsa\",\"size\":4096},\"names\":[{\"C\":\"CA\",\"O\":\"test\",\"OU\":\"test\"}]}" | cfssl gencert -initca -config=./ca-config.json - | cfssljson -bare ca -
$ cfssl certinfo -cert ca.pem | grep not
  "not_before": "2019-09-12T16:46:00Z",
  "not_after": "2024-09-10T16:46:00Z",

How can I assign the ca cert expiry? In some of the cfssl tests I see a "ca" profile with expiry assigned, like above. Does this work? Or is it for something else?

https://github.com/cloudflare/cfssl/blob/275fb308ac705bf5631d23b941f7b56dc436e39d/signer/universal/universal_test.go

mckenziec avatar Sep 12 '19 17:09 mckenziec

https://github.com/cloudflare/cfssl/blob/275fb308ac705bf5631d23b941f7b56dc436e39d/doc/cmd/cfssl.txt

I tried not_after as well in the "ca" signing profile:

{
    "signing": {
        "default": {
            "expiry": "143800h"
        },
        "profiles": {
            "ca": {
                "not_after":"2034-09-10T17:03:00Z",
                "usages": [
                    "cert sign",
                    "crl sign"
                ],
                "expiry": "1143800h",
                "usages": ["cert sign"]
            }
       }
}

Is the "ca" profile used by -initca at all?

mckenziec avatar Sep 12 '19 17:09 mckenziec

Adding a CA section to your input should work, e.g.

{
    "CA": {
        "expiry": "87600h",
        "pathlen": 0
    },
    "CN": "test",
    ...
}

roland-ruedenauer avatar Sep 22 '19 23:09 roland-ruedenauer

Doesn't work for me. I deleted my certs, used the following csr config, then ran:

echo <json string of the below csr> | cfssl gencert -initca - | cfssljson -bare ca -

        {
            "CA": {
                "expiry": "127200h",
                "pathlen": 0
            },
            "CN": "test",
            "key": {
                "algo": "rsa",
                "size": 4096
            },
            "names": [
                {
                    "C": "CA",
                    "O": "test",
                    "OU": "test"
                }
            ]
        }

The cert is still set to expire in 5 years: ... "not_before": "2019-09-23T15:29:00Z", "not_after": "2024-09-21T15:29:00Z", ...

mckenziec avatar Sep 23 '19 18:09 mckenziec

Strange. Using your CSR input on Ubuntu 19.04 I get

$ cfssl version
Version: 1.2.0
Revision: dev
Runtime: go1.8.1

$ cat ca-csr.json 
{
            "CA": {
                "expiry": "127200h",
                "pathlen": 0
            },
            "CN": "test",
            "key": {
                "algo": "rsa",
                "size": 4096
            },
            "names": [
                {
                    "C": "CA",
                    "O": "test",
                    "OU": "test"
                }
            ]
}

$ cat ca-csr.json | cfssl gencert -initca - | cfssljson -bare ca
2019/09/24 00:00:44 [INFO] generating a new CA key and certificate from CSR
2019/09/24 00:00:44 [INFO] generate received request
2019/09/24 00:00:44 [INFO] received CSR
2019/09/24 00:00:44 [INFO] generating key: rsa-4096
2019/09/24 00:00:45 [INFO] encoded CSR
2019/09/24 00:00:45 [INFO] signed certificate with serial number 135893878869276442113108825142012964381301331610

$ openssl x509 -inform pem -in ca.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            17:cd:b1:39:4e:2f:22:65:57:5c:bd:42:61:f8:b6:07:5d:4a:d6:9a
        Signature Algorithm: sha512WithRSAEncryption
        Issuer: C = CA, O = test, OU = test, CN = test
        Validity
            Not Before: Sep 23 21:56:00 2019 GMT
            Not After : Mar 28 21:56:00 2034 GMT
        Subject: C = CA, O = test, OU = test, CN = test
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
        ...

Got the same result on CentOS using cfssl installation described here: http://www.pimwiddershoven.nl/entry/install-cfssl-and-cfssljson-cloudflare-kpi-toolkit

roland-ruedenauer avatar Sep 23 '19 22:09 roland-ruedenauer

Hi all,

Is the "ca" profile used by -initca at all?

It wasn't; here's a PR to address this https://github.com/cloudflare/cfssl/pull/1102

If it helps, I also confirm that passing the CA section to stdin (as suggested by @roland-ruedenauer) works for me, on commit 6b49beae21ff90a09aea3901741ef02b1057ee65 of master, using your configuration:

$ cat in
{"CA":{"expiry":"87600h","pathlen":0},"CN":"test","key":{"algo":"rsa","size":4096},"names":[{"C":"CA","O":"test","OU":"test"}]}

$ cat ca-config.json
{"signing":{"default":{"expiry":"143800h"},"profiles":{"ca":{"usages":["cert sign","crl sign"],"expiry":"143800h"}}}}

Then:

  • cat in | cfssl gencert -initca -config=./ca-config.json - | cfssljson -bare ca -
  • cfssl certinfo -cert ca.pem | grep not gives 10 year expiry

lbarman avatar Apr 23 '20 15:04 lbarman

https://github.com/lbarman/cfssl/pull/4#issuecomment-682319235 solved my problem.

csuzhangxc avatar Jan 06 '21 05:01 csuzhangxc

Well, this issue solved my problem. I'm confusing why we can't put all profiles in a single file, but a CA profile hanging in somewhere else. So we might need to do some clearance in our document and give users a guide to "make the internet much better and safer".

kmahyyg avatar May 29 '23 07:05 kmahyyg