openssl: do not hand out certificates valid longer than root certificate

[deep-42-thought]

Maybe not really acme2certifier's responsibility, but:
Would it be ok to implement a limit on the "valid until" field, so that the server certificate is never valid longer than any other certificate in the certificate chain?
I filed a bug against letsencrypt, because they only check the validity of the server certificate and not of the whole chain. But they keep ignoring it somewhat, because the letsencrypt root ca does not have this issue (my root ca is relatively short-lived, and I often forget to update it >30 days before it expires).

I can look into implementing this, myself. But I wanted to hear your opinion on whether that would be a accepted feature, first.

[grindsa]

I agree that EE certificates should not have a longer validity times than the related intermediate certificates. But I see this rather in responsibility of the issuing CA to mandate this. Thus, the cleanest implementation would be inside the openssl handler and enforce the "valid until" field of an EE certificate to be always shorter than the CA certificates in the chain. Feel free to give it a try.. The feature makes sense and a patch will get accepted...

[deep-42-thought]

Thank you for the quick answer. Yes, I meant to implement it in the openssl handler. I'll see, when I have time to play around with it :)

[mpeylo]

I agree that EE certificates should not have a longer validity times than the related intermediate certificates.

Cannot agree with such general statement. There might be use cases where that might make sense, e.g. when the issuing CA certificate is expected to be renewed (not "rekeyed") and keyIdentifier is used for AuthorityKeyIdentifier.

But I see this rather in responsibility of the issuing CA to mandate this.

Yep ;)

[grindsa]

I agree, there might be some valid use-cases. Thus, lets make it configurable. with default-setting turned off

[elipsion]

I agree that EE certificates should not have a longer validity times than the related intermediate certificates.

Cannot agree with such general statement. There might be use cases where that might make sense, e.g. when the issuing CA certificate is expected to be renewed (not "rekeyed") and keyIdentifier is used for AuthorityKeyIdentifier.

Are there any other automated CAs that does this? It seems highly niche, and will probably work so-so since the ACME protocol has no way of pushing an updated chain to the client when the issuing CA is renewed.

[grindsa]

Feature has been introduced in v0.32. Please add cert_validity_adjust: True into the CAandler section of your acme_srv.cfg and restart a2c. Thus, closing this issue...