Rebase #14178 / Add not_before_duration API parameter to Root/Intermediate CA generation (#15511)

* PKI - Add not_before_duration API parameter to: - Root CA generation - Intermediate CA generation - Intermediate CA signing * Move not_before_duration to addCACommonFields This gets applied on both root generation and intermediate signing, which is the correct place to apply this. Co-authored-by: guysv <sviryguy@gmail.com> Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Resolves: #10631 Co-authored-by: guysv <sviryguy@gmail.com> Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add test case for root/generate, sign-intermediate Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Update path role description Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add new not_before_duration to relevant docs Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Co-authored-by: guysv <sviryguy@gmail.com>
2025-11-01 19:17:58 +00:00 · 2022-05-19 12:35:08 -04:00
parent b529820266
commit cbdf16c5a1
7 changed files with 39 additions and 7 deletions
--- a/builtin/logical/pki/path_root.go
+++ b/builtin/logical/pki/path_root.go
@@ -288,6 +288,7 @@ func (b *backend) pathIssuerSignIntermediate(ctx context.Context, req *logical.R
 		AllowedSerialNumbers:      []string{"*"},
 		AllowedURISANs:            []string{"*"},
 		NotAfter:                  data.Get("not_after").(string),
+		NotBeforeDuration:         time.Duration(data.Get("not_before_duration").(int)) * time.Second,
 	}
 	*role.AllowWildcardCertificates = true