FAB-6251 Backdate certificates generated by cryptogen

mastersingh24 · mastersingh24 · commit d54542f9de05 · 2017-09-25T06:56:46.000-04:00
cryptogen currently sets the NotBefore field
for certificates to the current time.
Fabric CA sets the NotBefore field to
current time - 5 minutes.

If one attempts to use the CA certs
generated by cryptogen with Fabric CA
and then tries to enroll with Fabric CA,
if you don't wait 5+ min then the certs
signed by Fabric CA end up being invalid.

This change simply backdates the NotBefore
5 minutes prior to the current time for all
generated certs

Change-Id: I0f5661216dc6459d19d808ed592046a0de3f3034
Signed-off-by: Gari Singh &lt;gari.r.singh@gmail.com&gt;
diff --git a/common/tools/cryptogen/ca/generator.go b/common/tools/cryptogen/ca/generator.go
@@ -124,16 +124,20 @@ func subjectTemplate() pkix.Name {
 // default template for X509 certificates
 func x509Template() x509.Certificate {
 
-	//generate a serial number
+	// generate a serial number
 	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
 	serialNumber, _ := rand.Int(rand.Reader, serialNumberLimit)
 
-	now := time.Now()
+	// set expiry to around 10 years
+	expiry := 3650 * 24 * time.Hour
+	// backdate 5 min
+	notBefore := time.Now().Add(-5 * time.Minute).UTC()
+
 	//basic template to use
 	x509 := x509.Certificate{
 		SerialNumber:          serialNumber,
-		NotBefore:             now,
-		NotAfter:              now.Add(3650 * 24 * time.Hour), //~ten years
+		NotBefore:             notBefore,
+		NotAfter:              notBefore.Add(expiry).UTC(),
 		BasicConstraintsValid: true,
 	}
 	return x509
