Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CA: certificate validity period should be per-profile instead of per-CA #7339

Open
Tracked by #7310
pgporada opened this issue Feb 26, 2024 · 0 comments
Open
Tracked by #7310

CA: certificate validity period should be per-profile instead of per-CA #7339

pgporada opened this issue Feb 26, 2024 · 0 comments
Labels
area/ca

Comments

@pgporada
Copy link
Member

pgporada commented Feb 26, 2024
edited

A boulder-ca instance currently can only issue certificates with a single defined validity period. With the current boulder-ca code, to offer different validity periods in addition to our current 90 day certs e.g. a short lived cert of 7 days, we would need to run a separate set of WFE, RA, and CA instances. Instead each certificate profile should control the validity period..

A boulder-ca today can only issue certificates with one specific lifetime due to the Expiry field being outside the purview of a certificate profile. The maxValidity in each certificate profile is only used to check if it's less than the CA's expiry field.

Why does this matter, doesn't a client CSR tell us what the lifetime should be? Well, yes, but also no. Inside ca.generateSerialNumberAndValidity, the CA silently drops the notBefore and notAfter from a client CSR and creates it own validity struct containing a notBefore and notAfter. The CA then passes that validity struct to ca.issuePrecertificate etc. This transformation of the notBefore and notAfter is what binds each profile, regardless of its configured maxValidity to the CA's expiry field.

I noticed this while writing a unit test for multiple certificate profile support. Here's an example short lived profile with my faulty assumption that MaxValidityPeriod would be used to calculate the certificate lifetime.

shortLived, err := issuance.NewProfile(
		issuance.ProfileConfig{
			Name:            "shortLived",
			AllowMustStaple: true,
			AllowCTPoison:   true,
			AllowSCTList:    true,
			AllowCommonName: true,
			Policies: []issuance.PolicyConfig{
				{OID: "2.23.140.1.2.1"},
			},
			MaxValidityPeriod:   config.Duration{Duration: time.Hour * 240},
			MaxValidityBackdate: config.Duration{Duration: time.Hour},

Here's a CA impl it was attached to from a setup function.

return &testCtx{
		pa:             pa,
		ocsp:           ocsp,
		crl:            crl,
		profile:        deprecatedProfile,
		certProfiles:   certProfiles,
		certExpiry:     8760 * time.Hour,

and a resulting error I received when trying to issue from this short lived profile.

=== RUN   TestIssueCertificateForPrecertificateWithSpecificCertificateProfile
    ca_test.go:1020: Failed to issue precert: failed to prepare precertificate signing: validity period is more than the maximum allowed period (8760h0m0s>240h0m0s)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/ca
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pgporada