From 167867a226838389381f3fe4db8f933cfe80f49b Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Mon, 26 Oct 2020 00:15:16 +0100 Subject: [PATCH] Drop Apple 825-days rule bypass, shorten and print expiration Closes #299 Closes #271 --- cert.go | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/cert.go b/cert.go index 2123ab9..77b2ee0 100644 --- a/cert.go +++ b/cert.go @@ -56,6 +56,11 @@ func (m *mkcert) makeCert(hosts []string) { fatalIfErr(err, "failed to generate certificate key") pub := priv.(crypto.Signer).Public() + // Certificates last for 2 years and 3 months, which is always less than + // 825 days, the limit that macOS/iOS apply to all certificates, + // including custom roots. See https://support.apple.com/en-us/HT210176. + expiration := time.Now().AddDate(2, 3, 0) + tpl := &x509.Certificate{ SerialNumber: randomSerialNumber(), Subject: pkix.Name{ @@ -63,14 +68,8 @@ func (m *mkcert) makeCert(hosts []string) { OrganizationalUnit: []string{userAndHostname}, }, - NotAfter: time.Now().AddDate(10, 0, 0), - - // Fix the notBefore to temporarily bypass macOS Catalina's limit on - // certificate lifespan. Once mkcert provides an ACME server, automation - // will be the recommended way to guarantee uninterrupted functionality, - // and the lifespan will be shortened to 825 days. See issue 174 and - // https://support.apple.com/en-us/HT210176. - NotBefore: time.Date(2019, time.June, 1, 0, 0, 0, 0, time.UTC), + NotAfter: expiration, + NotBefore: time.Now(), KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, BasicConstraintsValid: true, @@ -134,6 +133,8 @@ func (m *mkcert) makeCert(hosts []string) { log.Printf("\nThe PKCS#12 bundle is at \"%s\" ✅\n", p12File) log.Printf("\nThe legacy PKCS#12 encryption password is the often hardcoded default \"changeit\" ℹī¸\n\n") } + + log.Printf("It will expire on %s 🗓\n\n", expiration.Format("2 January 2006")) } func (m *mkcert) printHosts(hosts []string) {