Changing minimum certificate rotation period and backdating to 1h

[diogomonica]

@aaronlehmann

Fixes #1175

Signed-off-by: Diogo Monica [email protected]

[codecov-io]

Current coverage is 54.85% (diff: 100%)

Merging #1243 into master will decrease coverage by <.01%

@@             master      #1243   diff @@
==========================================
  Files            78         77     -1   
  Lines         12402      12373    -29   
  Methods           0          0          
  Messages          0          0          
  Branches          0          0          
==========================================
- Hits           6803       6787    -16   
+ Misses         4665       4652    -13   
  Partials        934        934          

Powered by Codecov. Last update e65562c...6486e7f

[aaronlehmann]

Probably a dumb TLS question, but is it correct to specify both NotBefore / NotAfter and also Expiry? Does cfssl use both of them?

[diogomonica]

CFSSL is silly and doesn't seem to allow me to not specify Expiry. Tells me this is an invalid profile. Didn't dig super far into it though, I might be missing something obvious.

In TLS there is not concept of Expiry, the only two things that matter are notBefore and notAfter.

This is the code that fills in the notBefore and notAfter: https://github.com/cloudflare/cfssl/blob/f8a8adaa9d48141125b78c23553a174845661522/signer/signer.go#L280

[aaronlehmann]

Probably a good idea to only call time.Now() once to ensure consistency between these timestamps, in case something crazy happens to the clock between the two calls.

It will probably never issue in practice, but I'd rather have one less corner case to think about.

[diogomonica]

Fixed.

[aaronlehmann]

LGTM

But I'm not sure we can merge this in between the last -rc and the 1.12 GA :(

ping @aluzzardi @tiborvass for opinions

[aluzzardi]

Tagged as 1.12.1. We'll push it at the next release