cfssl: new CA certificates with an expiry less than or equal to 240s are always expired. #1064
Description
I am not entirely sure what is going on here, but it seems that there is no way to generate a valid CA having an expiry less than 5 minutes. The generated CA is either a <= 59 seconds away from expiry or is in fact expired. Is there a work around for this? Expiry handling for CA and other certs seems to be offset by 5 minutes for some reason.
./cfssl-1.4.1 version
Version: 1.4.1
Runtime: go1.12.12
JSON request:
{
"CN": "CA",
"names": [
{
"C": "CA",
"L": "QC",
"O": "XYZ Inc.",
"ST": "Montreal",
"OU": "Infrastructure"
}
],
"CA": {
"expiry": "240s",
"pathlen": 0
},
"key": {
"algo": "rsa",
"size": 2048
}
}
Example of the issue.
date; cfssl-1.4.1 gencert -initca EXP-ca-req.json 2> /dev/null | jq -r .cert|openssl x509 -text -in -|egrep 'After|Before'; date
Thu Nov 28 13:32:11 EST 2019
Not Before: Nov 28 18:27:00 2019 GMT
Not After : Nov 28 18:31:00 2019 GMT
Thu Nov 28 13:32:12 EST 2019