Allow to Set "notBefore" and "notAfter" of Issued Client Certificates [399667365]

Assigned

Feature Request

Status Update

No update yet.

Description

ni...@sap.com

created issue #1

Feb 28, 2025 12:55PM

Feature Request

We want to use the Certificate Authority Service to issue client certificates. These client certificates should be valid for exactly the time specified. This means the validity of the certificate ("notBefore" and "notAfter" date) should be exactly the values provided.

Current Implementation

Currently, there is only the option to provide a validity in the ISO8601 duration format. But this just defines a duration, e.g., P30D means the certificate should be valid for 30 days. The Certificate Authority Service sets the exact "notBefore" and "notAfter" dates of the certificates. This is described in the SDK documentation:

--validity=VALIDITY; default="P30D"
The validity of this certificate, as an ISO8601 duration. Defaults to 30 days.

The biggest drawbacks of only specifying the period is that (1) we do not have complete control the validity of the certificates (which may lead to unwanted "notBefore" and/or "notAfter" dates of the certificates) and (2) we cannot backdate the certificate "notBefore" date in the past (we use this extensively to ensure that time differences do not affect the start validity of the certificate and it can be used right away).

I have seen a similar feature request Backdate the Certificate 'ValidFrom' / 'notBefore' Timestamp.

Solution Proposal

What we imagine is a feature as provided for AWS Private Certificate Authorities, where we can directly set the "notBefore" and "notAfter" date of the certificates. This is described in the API reference

Validity
Information describing the end of the validity period of the certificate. This parameter sets the “Not After” date for the certificate.
[...] Validity can be expressed as an explicit date and time when the certificate expires

ValidityNotBefore
Information describing the start of the validity period of the certificate. This parameter sets the “Not Before" date for the certificate.
By default, when issuing a certificate, AWS Private CA sets the "Not Before" date to the issuance time minus 60 minutes. This compensates for clock inconsistencies across computer systems. 
The ValidityNotBefore value is expressed as an explicit date and time, using the Validity type value ABSOLUTE

and the validity API parameter specification:

Type
Determines how AWS Private CA interprets the Value parameter, an integer. Supported validity types include those listed below.
[...]
ABSOLUTE: The specific date and time when the validity of a certificate will start or expire, expressed in seconds since the Unix
[...]
Value
A long integer interpreted according to the value of Type, below.

An example of a request including both "ValidityNotBefore" and "Validity" could be:

{
  [...]
  "ValidityNotBefore": {
    "Type": "ABSOLUTE",
    "Value": 1740743603
  },
  "Validity": {
    "Type": "ABSOLUTE",
    "Value": 1745844803
  }
}

We use this feature to set both Validity and ValidityNotBefore as "ABSOLUTE" unix timestamps. This allows us to have complete control of the certificate's "notBefore" and "notAfter" date and does not leave room for interpretation of the Certificate Authority Service.

Comments

ba...@google.com <ba...@google.com> Mar 3, 2025 03:32AM

Assigned to ka...@google.com.

ka...@google.com <ka...@google.com> #2Mar 3, 2025 10:20AM

Reassigned to gc...@google.com.

I highly support this, this way every current FormGroup subclass can define only the functions it needs (Everything besides Address can get rid of the AutofillType API and of the app_locale parameters, many classes could also get rid of the VerificationStatus API, etc.)

AutofillProfile could then implement a GetDataForType(FieldType) -> absl::variant<Address, NameInfo, ...> and provide the current API with visit calls instead of polymorphism.

Issue 399667365

Description

Feature Request

Current Implementation

Solution Proposal

Issue summary

Comments

ba...@google.com <ba...@google.com> Mar 3, 2025 03:32AM

ka...@google.com <ka...@google.com> #2Mar 3, 2025 10:20AM

Add comment

Issue metadata