FAB-6251 Backdate certificates generated by cryptogen

cryptogen currently sets the NotBefore field for certificates to the current time. Fabric CA sets the NotBefore field to current time - 5 minutes. If one attempts to use the CA certs generated by cryptogen with Fabric CA and then tries to enroll with Fabric CA, if you don't wait 5+ min then the certs signed by Fabric CA end up being invalid. This change simply backdates the NotBefore 5 minutes prior to the current time for all generated certs Change-Id: I0f5661216dc6459d19d808ed592046a0de3f3034 Signed-off-by: Gari Singh <gari.r.singh@gmail.com>
hyperledger · Sep 25, 2017 · d54542f · d54542f
1 parent d30b129
commit d54542f
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/common/tools/cryptogen/ca/generator.go b/common/tools/cryptogen/ca/generator.go
@@ -124,16 +124,20 @@ func subjectTemplate() pkix.Name {
 // default template for X509 certificates
 func x509Template() x509.Certificate {
 
-	//generate a serial number
+	// generate a serial number
 	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
 	serialNumber, _ := rand.Int(rand.Reader, serialNumberLimit)
 
-	now := time.Now()
+	// set expiry to around 10 years
+	expiry := 3650 * 24 * time.Hour
+	// backdate 5 min
+	notBefore := time.Now().Add(-5 * time.Minute).UTC()
+
 	//basic template to use
 	x509 := x509.Certificate{
 		SerialNumber:          serialNumber,
-		NotBefore:             now,
-		NotAfter:              now.Add(3650 * 24 * time.Hour), //~ten years
+		NotBefore:             notBefore,
+		NotAfter:              notBefore.Add(expiry).UTC(),
 		BasicConstraintsValid: true,
 	}
 	return x509