caddypki: check intermediate lifetime to actual root cert lifetime#7272
Merged
mholt merged 1 commit intocaddyserver:masterfrom Sep 26, 2025
Merged
caddypki: check intermediate lifetime to actual root cert lifetime#7272mholt merged 1 commit intocaddyserver:masterfrom
mholt merged 1 commit intocaddyserver:masterfrom
Conversation
hslatman
added a commit
to hslatman/caddy
that referenced
this pull request
Nov 5, 2025
In caddyserver#7272 a check was changed to ensure that generated intermediate certificates would always use a lifetime that falls within the lifetime of the root. However, when a root and intermediate(s) are supplied, the configuration value was being used instead of the actual lifetimes of the certificates. The check was moved to only be performed when an intermediate is generated; not when loaded from disk.
Contributor
|
This might cause issues for roots and intermediate(s) supplied as PEM, when not being generated. If the root lifetime of an actual cert is shorter than the (default) intermediate lifetime in the configuration, this would fail. Arguably, this is a bit of an edge case and I only discovered it while adding tests on a different PR. I've moved the check to only be performed for generated intermediates in #7057: 537a374. |
hslatman
added a commit
to hslatman/caddy
that referenced
this pull request
Dec 3, 2025
In caddyserver#7272 a check was changed to ensure that generated intermediate certificates would always use a lifetime that falls within the lifetime of the root. However, when a root and intermediate(s) are supplied, the configuration value was being used instead of the actual lifetimes of the certificates. The check was moved to only be performed when an intermediate is generated; not when loaded from disk.
4 tasks
mholt
added a commit
that referenced
this pull request
Dec 3, 2025
) * caddypki: Add support for multiple intermediates in signing chain * Move intermediate lifetime configuration check In #7272 a check was changed to ensure that generated intermediate certificates would always use a lifetime that falls within the lifetime of the root. However, when a root and intermediate(s) are supplied, the configuration value was being used instead of the actual lifetimes of the certificates. The check was moved to only be performed when an intermediate is generated; not when loaded from disk. * Add tests for `pemDecodeCertificateChain` and `pemDecodeCertificate` * Use `crypto.Signer` instead of `any` in appropriate places * Use latest Smallstep packages --------- Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Assistance Disclosure
No AI was used.
Fixes: #7271
After calling ca.loadOrGenRoot(), we can see the actual root cert notAfter(thus it is the lifetime of the actual root cert).