default cert expiration to two years, not one

replicatedhq · Oct 18, 2019 · c5d433d · c5d433d
1 parent 76974ab
commit c5d433d
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/pkg/util/certs.go b/pkg/util/certs.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/cloudflare/cfssl/config"
 	"github.com/cloudflare/cfssl/csr"
 	"github.com/cloudflare/cfssl/helpers"
 	"github.com/cloudflare/cfssl/initca"
@@ -77,7 +78,14 @@ func MakeCert(host []string, certKind, CACert, CAKey string) (CertType, error) {
 		return CertType{}, errors.Wrap(err, "parse csr")
 	}
 
-	localSigner, err := local.NewSigner(parsedCaKey, parsedCaCert, signer.DefaultSigAlgo(parsedCaKey), nil)
+	twoYearConfig := config.DefaultConfig()
+	twoYearConfig.Expiry = 17520 * time.Hour // two years
+	twoYearConfig.ExpiryString = "17520h"
+	signConfig := config.Signing{
+		Default: twoYearConfig,
+	}
+
+	localSigner, err := local.NewSigner(parsedCaKey, parsedCaCert, signer.DefaultSigAlgo(parsedCaKey), &signConfig)
 	if err != nil {
 		return CertType{}, errors.Wrap(err, "create signer")
 	}

diff --git a/pkg/util/certs_test.go b/pkg/util/certs_test.go
@@ -5,6 +5,7 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"testing"
+	"time"
 
 	"github.com/cloudflare/cfssl/csr"
 	"github.com/stretchr/testify/require"
@@ -206,6 +207,11 @@ func TestMakeCert(t *testing.T) {
 				err = parsedCert.VerifyHostname(host)
 				req.NoError(err, "hostname %s must be present on cert", host)
 			}
+
+			// validate that the cert is valid for two more years
+			req.True(parsedCert.NotAfter.Add(-time.Hour * (17520 - 1)).After(time.Now()))
+			// and that it is valid now
+			req.True(parsedCert.NotBefore.Before(time.Now()))
 		})
 	}
 }