-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Leaf certificate expiration reported by API does not account for CA expiration date #377
Comments
We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story. The labels on this github issue will be updated when the story is started. |
date This prevents one from issuing a certificate that appears to be valid, but in reality typically won't validate as being so. Partially fixes cloudfoundry#377
Hi @ae-govau, thank you for reporting the issue. Question about your workflow:
Shouldn't For whether a leaf certificate's notAfter can be longer than the notAfter of the CA, I haven't found an official RFC about this question. And it seems that the implementations of our peers vary and people are warned that they should not assume that this requirement is enforced. That said, your argument makes sense. However, I think the change should be that CredHub returns an error when you request to generate a leaf certificate with a longer validity duration than the CA (as opposed to silently lowering the duration for the user). This way, the user gets a clear feedback on whether their exact request has been fulfilled. But in any case, this would be a breaking change, which warrants a major version bump. We could consider it when we are ready for our next major version. |
The call to
And you're partially correct - it also does return a record for the signing CA ( However what we found is that the current certificate for the signing CA is newer - but the actual CA used to sign the child certificate was an older version of that signing CA. We have automation built to apply the process outlined here: But for this particular certificate (which you can see is a CA cert itself), we were left in this situation where after following that process (and perhaps we have an error in our scripting) we are left with this CA cert in a state where it's been signed by an older version of the parent CA. My gut feeling is that having 2 levels of CAs may simply not work with the 4 step process for rotating CAs listed above, and that we may be better to try to weed out why that's actually needed. I'll see if I can take another look at We've since added an extra step to our regular validation to make an extra call to the API to fetch the CA for each cert and validate that it's also in the list returned by
I'm pretty certain most clients will enforce it at validation time, as they'll be validating the parent cert which won't be valid if it's expired. I also wasn't able to find a definitive answer on issuance. In theory you could issue a child cert valid longer than the parent, and the re-issue the parent to the same key for a longer validity, so in theory it might be ok, but in practice it's not.
Re raising an error if requesting a longer date, wouldn't that nearly always occur? ie initially request a year for the CA, then the next request will be for that CA to sign a child cert for the same period? Would you be open to adding an additional field to each |
Sorry for the confusion. My original statement was intended to be in agreement with you. Let me rephrase: I'll respond to your other points separately. |
What version of the credhub server you are using?
2.12.8
What version of the credhub cli you are using?
2.6.2
If you were attempting to accomplish a task, what was it you were attempting to do?
As part of our CI/CD, we run
credhub curl -p /api/v1/certificates
, parse the output, and verify that the most recent version of all certificates has anexpiry_date
at least 30 days out. This helps give us plenty of time to initiate rotation procedures before expiration.What did you expect to happen?
The
expiry_date
should be the value when the certificate ceases to function.What was the actual behavior?
The
expiry_date
is parsed from the certificate data itself, without regard to the CA that signed it, which has a much closer in expiration date.For example:
Output:
However a subsequent call to fetch more data about that version of the certificate:
Reveals that the CA expires 6 months earlier (a few days ago):
We believe this is likely due to a previous rotation where update-mode converge may not have been correctly set, however none-the-less we think it is unhelpful for
credhub
to report an expiration date that is longer than the CA that it knows has signed it. Separately it would helpful to simply not issue a certificate longer than the parent CA as well.Please confirm where necessary:
The text was updated successfully, but these errors were encountered: