pivotal/credhub-release

credhub does not create a certificate with a specified duration on cf-deployment

addisflava opened this issue · 2 comments

addisflava commented

cf deployment variable

- name: silk_ca
  type: certificate
  duration: 999
  options:
    is_ca: true
    common_name: silk-ca
- name: silk_controller
  type: certificate
  duration: 999
  options:
    ca: silk_ca
    common_name: silk-controller.service.cf.internal
    extended_key_usage:
    - server_auth
- name: silk_daemon
  type: certificate
  duration: 999
  options:
    ca: silk_ca
    common_name: silk-daemon
    extended_key_usage:
    - client_auth

checking the created certificate after deploying cf

for i in $(credhub find --name-like silk | grep  name  | sed "s/- name:// "); do credhub get --name $i | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'  | sed  "s/^\s*//g"  | awk 'v{v=v"\n"$0};/----BEGIN/ {v=$0};/----END/&&v{;print v > "tmp.crt";close("tmp.crt");system("openssl x509 -enddate -noout -in tmp.crt; head -n 2 tmp.crt| tail -n 1; echo -n TAIL:; tail -n 2 tmp.crt| head -n 1"); v=x}'; done
notAfter=Sep  3 18:43:33 2020 GMT
MIIDBTCCAe2gAwIBAgIUMs8D9X0zJeWLMxDXW/wsLD/qnPowDQYJKoZIhvcNAQEL
TAIL:3hXV3Ri8s7JJ
notAfter=Sep  3 18:43:33 2020 GMT
MIIDGzCCAgOgAwIBAgIUSR54V5TNnDs35AmNajhEztFlYrowDQYJKoZIhvcNAQEL
TAIL:2MU9LxHevbE29GwJjzMkfhUjhdMEdDXCDsQJ+bycRQ==
notAfter=Sep  3 18:43:33 2020 GMT
MIIDBTCCAe2gAwIBAgIUMs8D9X0zJeWLMxDXW/wsLD/qnPowDQYJKoZIhvcNAQEL
TAIL:3hXV3Ri8s7JJ
notAfter=Sep  3 18:43:33 2020 GMT
MIIDMzCCAhugAwIBAgIUaxlxaN4wlA6RuxE4f/rM58NAqZgwDQYJKoZIhvcNAQEL
TAIL:vd33dyVv5Q==
notAfter=Sep  3 18:43:33 2020 GMT
MIIDBTCCAe2gAwIBAgIUMs8D9X0zJeWLMxDXW/wsLD/qnPowDQYJKoZIhvcNAQEL
TAIL:3hXV3Ri8s7JJ
notAfter=Sep  3 18:43:33 2020 GMT
MIIDBTCCAe2gAwIBAgIUMs8D9X0zJeWLMxDXW/wsLD/qnPowDQYJKoZIhvcNAQEL
TAIL:3hXV3Ri8s7JJ

What version of the credhub server you are using?

2.4.0
What version of the credhub cli you are using?

If you were attempting to accomplish a task, what was it you were attempting to do?
deploy cf with longer cretificate duration

What did you expect to happen?
expire date to be longer than 365

What was the actual behavior?

Please confirm where necessary:

  • I have included a log output
  • My log includes an error message
  • I have included steps for reproduction

If you are a PCF customer with an Operation Manager (PCF Ops Manager) please direct your questions to support (https://support.pivotal.io/)

cf-gitbot commented

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/168304881

The labels on this github issue will be updated when the story is started.

addisflava commented

found my issue , duration should be below options

  • name: silk_ca
    type: certificate
    options:
    is_ca: true
    common_name: silk-ca
    duration: 999