Merge pull request microsoft#4008 from iclanton/refresh-too-long-live…

…d-certs [debug-certificate-manager] Force certificates with a validity period longer than 365 days to be refreshed.
spring6225 · Mar 20, 2023 · de11a46 · de11a46
2 parents df67fe7 + 4a92185
commit de11a46
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/...s/@rushstack/debug-certificate-manager/refresh-too-long-lived-certs_2023-03-03-03-27.json b/...s/@rushstack/debug-certificate-manager/refresh-too-long-lived-certs_2023-03-03-03-27.json
@@ -0,0 +1,10 @@
+{
+  "changes": [
+    {
+      "packageName": "@rushstack/debug-certificate-manager",
+      "comment": "Force certificates with a validity period longer than the expected validity period to be refreshed.",
+      "type": "patch"
+    }
+  ],
+  "packageName": "@rushstack/debug-certificate-manager"
+}
diff --git a/libraries/debug-certificate-manager/src/CertificateManager.ts b/libraries/debug-certificate-manager/src/CertificateManager.ts
@@ -15,6 +15,7 @@ const FRIENDLY_NAME: string = 'debug-certificate-manager Development Certificate
 const MAC_KEYCHAIN: string = '/Library/Keychains/System.keychain';
 const CERTUTIL_EXE_NAME: string = 'certutil';
 const CA_ALT_NAME: string = 'rushstack-certificate-manager.localhost';
+const ONE_DAY_IN_MILLISECONDS: number = 24 * 60 * 60 * 1000;
 
 /**
  * The set of names the certificate should be generated for, by default.
@@ -152,6 +153,16 @@ export class CertificateManager {
         );
       }
 
+      if (
+        notBefore.getTime() - notAfter.getTime() >
+        optionsWithDefaults.validityInDays * ONE_DAY_IN_MILLISECONDS
+      ) {
+        messages.push(
+          "The existing development certificate's validity period is longer " +
+            `than ${optionsWithDefaults.validityInDays} days.`
+        );
+      }
+
       const { caCertificateData } = this._certificateStore;
 
       if (!caCertificateData) {