Feature Request: Add support to set future date as notBefore when requesting for certificate about cert-manager HOT 7 OPEN

+1 this is an important feature we also want.

from cert-manager.

Feel free to create a PR to add this feature.

from cert-manager.

What is the best way to do this? I can think of two possible solution -

1. Adding them as optional fields in Certificate and CertificateRequest apis -
   We can add two optional fields, such as NotBefore and NotAfter along with Duration field and add some validation to make sure either Duration or NotAfter is set. If NotAfter field is set and NotBefore is empty, we can continue to use time.Now() in that case as well.

2. Providing these through Annotations
   We can use annotations in both Certificate and CertificateRequest apis, to provide this information.

from cert-manager.

@inteon - do you have any suggestion on previous comment?

from cert-manager.

I think a new field would be preferable if we want this feature to be widely supported. The logic itself will have to be implemented by each issuer individually, if we only add support to a very limited set of issuers, an annotation might be preferable. Altering the CertificateRequest API is not a decision to be taken without much thought. So, creating a design document first might be desirable.

from cert-manager.

@inteon Can you explain what do you mean by "logic itself will have to be implemented by each issuer individually"? The was I was thinking is to add these as an optional fields to both Certificate and CertificateRequest API and when we create a x509.CertificateRequest here, we can modify this func as follows -

func CertificateTemplateOverrideDuration(duration time.Duration, notBefore, notAfter *metav1.Time) CertificateTemplateValidatorMutator {
	return func(req *x509.CertificateRequest, cert *x509.Certificate) error {
		if notBefore == nil {
			cert.NotBefore = time.Now()
		} else {
			cert.NotBefore = notBefore.Time
		}
		if notAfter == nil {
			cert.NotAfter = cert.NotBefore.Add(duration)
		} else {
			cert.NotAfter = notAfter.Time
		}

		return nil
	}
}

from cert-manager.

The example CertificateTemplateOverrideDuration function would work. "logic itself will have to be implemented by each issuer individually" refers to the fact that cert-manager has 5 in-tree issuers and a lot of out-of-tree issuers (see https://cert-manager.io/docs/configuration/issuers/). Each issuer will have to be updated to support this new field in the CertificateRequest API. That is not a small task. For that reason, I would advise to create a design document.

from cert-manager.