hyperledger-fabrichyperledger-fabric-ca

Validity dates for certificates issue with Fabric CA


I've been creating new certificates with expiry: 43800h, that's 5 years of validity. However, the "Not Before" and the "Not After" have dates that do not match which the day the certificate was created. It looks calculated using other logic. I don't see an option in the fabric-ca-server-config.yaml to SET the "not before".

For example, I've created a certificate yesterday (October 18th) and it seems that the "Not Before" "Not After" should be October 18, but it isn't for some reason:

    Validity
        Not Before: Feb  8 14:19:00 2023 GMT
        Not After : Feb  7 14:26:00 2028 GMT

I wish to have the Not Before/Not After dates match, the day I'm in, that is, the moment were the certificate is created.

NOTE: I'm using the fabric node SDK to create the certificates.

Cheers!


Solution

  • I got the answer from the fabric mailing list member David Enyeart:

    It looks like the dates are bound by the responding Fabric CA’s own expiry.

    For example if the Fabric CA cert was created in February 2023 and is good for 5 years, then in October 2023 you request (enroll) for a client certificate with expiry in 5 years, the client cert expiry will be February 2028 (since that is when the responding CA is good until), not the requested date of October 2028.

    Similarly, the start date defaults to the Fabric CA’s start date.

    There is a Fabric CA debug message that you’ll get when this happens:

    https://github.com/hyperledger/fabric-ca/blob/main/lib/serverenroll.go#L125

    Maybe that should be a log message rather than debug message so that administrators would see it.

    I think most people set the CA expiries much further out than the runtime node and client expiries to avoid such issues.