Use default duration for host certificates identity files.

This commit is contained in:
Mariano Cano 2019-11-26 19:09:01 -08:00 committed by max furman
parent e29892e9eb
commit 7b81bec8aa

View file

@ -306,10 +306,14 @@ func (h *caHandler) SSHSign(w http.ResponseWriter, r *http.Request) {
// Sign identity certificate if available. // Sign identity certificate if available.
var identityCertificate []Certificate var identityCertificate []Certificate
if cr := body.IdentityCSR.CertificateRequest; cr != nil { if cr := body.IdentityCSR.CertificateRequest; cr != nil {
opts := provisioner.Options{ var opts provisioner.Options
// Use same duration as ssh certificate for user certificates
if body.CertType == provisioner.SSHUserCert {
opts = provisioner.Options{
NotBefore: provisioner.NewTimeDuration(time.Unix(int64(cert.ValidAfter), 0)), NotBefore: provisioner.NewTimeDuration(time.Unix(int64(cert.ValidAfter), 0)),
NotAfter: provisioner.NewTimeDuration(time.Unix(int64(cert.ValidBefore), 0)), NotAfter: provisioner.NewTimeDuration(time.Unix(int64(cert.ValidBefore), 0)),
} }
}
ctx := authority.NewContextWithSkipTokenReuse(context.Background()) ctx := authority.NewContextWithSkipTokenReuse(context.Background())
ctx = provisioner.NewContextWithMethod(ctx, provisioner.SignMethod) ctx = provisioner.NewContextWithMethod(ctx, provisioner.SignMethod)
signOpts, err := h.Authority.Authorize(ctx, body.OTT) signOpts, err := h.Authority.Authorize(ctx, body.OTT)