From d068c00ae853d1f21d8bed0d02053d4cb902b71b Mon Sep 17 00:00:00 2001 From: David-Emmanuel DIVERNOIS Date: Fri, 6 Sep 2024 13:29:13 +0200 Subject: [PATCH] fix: generate server certificates with a max duration of 825 days --- packages/app/server/tls/certs.ts | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/packages/app/server/tls/certs.ts b/packages/app/server/tls/certs.ts index 87056ceb..e727e3d9 100644 --- a/packages/app/server/tls/certs.ts +++ b/packages/app/server/tls/certs.ts @@ -1,6 +1,8 @@ import { pki, md, util } from 'node-forge'; -const TEN_YEARS_IN_MS = 10 * 365 * 24 * 60 * 60 * 1000; +// Validity max duration in ms: +// Apple requires 825 days or fewer (cf https://support.apple.com/en-us/103769) +const VALIDITY_DURATION = 825 * 24 * 60 * 60 * 1000; interface CertificateOptions { issuer?: pki.Certificate; @@ -40,7 +42,9 @@ export async function createCertificate( const now = Date.now(); cert.serialNumber = `${now}`; cert.validity.notBefore = new Date(now); - cert.validity.notAfter = issuer ? issuer.validity.notAfter : new Date(now + TEN_YEARS_IN_MS); + cert.validity.notAfter = new Date( + Math.min(issuer?.validity.notAfter.getTime() ?? Infinity, now + VALIDITY_DURATION), + ); const subject = [ { name: 'commonName',