cfssl cfssl: new CA certificates with an expiry less than or equal to 240s are always expired.

cfssl: new CA certificates with an expiry less than or equal to 240s are always expired.

Open bashims opened this issue 5 years ago • 0 comments

I am not entirely sure what is going on here, but it seems that there is no way to generate a valid CA having an expiry less than 5 minutes. The generated CA is either a <= 59 seconds away from expiry or is in fact expired. Is there a work around for this? Expiry handling for CA and other certs seems to be offset by 5 minutes for some reason.

./cfssl-1.4.1 version
Version: 1.4.1
Runtime: go1.12.12

JSON request:

{             
  "CN": "CA",
  "names": [
    {
      "C": "CA",
      "L": "QC",
      "O": "XYZ Inc.",
      "ST": "Montreal",
      "OU": "Infrastructure"
    }
  ],
  "CA": {
    "expiry": "240s",
    "pathlen": 0
  },
  "key": {
    "algo": "rsa",
    "size": 2048
  }
}

Example of the issue.

date; cfssl-1.4.1 gencert -initca EXP-ca-req.json 2> /dev/null | jq -r .cert|openssl x509 -text -in -|egrep 'After|Before'; date
Thu Nov 28 13:32:11 EST 2019
            Not Before: Nov 28 18:27:00 2019 GMT
            Not After : Nov 28 18:31:00 2019 GMT
Thu Nov 28 13:32:12 EST 2019

Nov 28 '19 18:11 bashims

cfssl cfssl copied to clipboard

cfssl: new CA certificates with an expiry less than or equal to 240s are always expired.

cfssl
cfssl copied to clipboard