[Bug]: Unable To Issue Certificates With Validity Longer Than 24Hrs

[n-ice-ch]

Steps to Reproduce

Seems the same bug is back:
#139

I've set the claims configuration for overall:
{ "root": "/home/step/certs/root_ca.crt", "federatedRoots": null, "crt": "/home/step/certs/intermediate_ca.crt", "key": "/home/step/secrets/intermediate_ca_key", "address": ":9000", "insecureAddress": "", "dnsNames": [ "my.step-ca.example" ], "logger": { "format": "text" }, "db": { "type": "badgerv2", "dataSource": "/home/step/db", "badgerFileLoadingMode": "" }, "authority": { "claims": { "maxTLSCertDuration": "87660h", "defaultTLSCertDuration": "8766h" }, "provisioners": [ {

And for the individual provisioner too:
{ "type": "JWK", "name": "charly", "key": { "use": "sig", "kty": "EC", "kid": "MmnTrYWCbIrr9uzVfQxLLaeg_-0dVjVJeKd2Z1Bsg8o", "crv": "P-256", "alg": "ES256", "x": "zZTsEfS7hBSFU1sXVxxmc_wcqiIooYRsXuSKJS1mReU", "y": "QAfbyd8kZAWV1dD9n6UYs9uIKy_k7EeLKe5Q9ufswts" }, "encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiWUtPb08wUEthdWdlUVE1NUxJOXI1ZyJ9.a_ggellUJgXvEVeQbWzFUOrOy3-E-l_ndHzIbZ6fnADDy3EnsYE-oQ.AYlj-oJjWloDj09X.o7shxx-inae8i8CVVLaQ4leEssfp4E1FsmnZwfnB9BAHkMgmDZ__EVFZfG-RpPGDm4aTfCwY0IwZlbV1gSz5lW8gfQ3GdndT6MS0TRjlqRXjAtTlCf0nM4kvwKMaPsdOOGcBWypbvy3CZs2lKKJwRs6mXe0pFUz1JShNHc-hakzFo4dBs_hzcVFig7xDauUoUZWSZRE30G1gLiioXRc2LMxXpeJR3bcz6j4wSIB65l7w-n5l1kZm0GTRJSPU6geggYfXIjKgxnEdbRLK8drr75ZOmdkvLg0bsYam92UEsiG1BsU8NJVUf63PjXym3iANaA0E36_OlRUsVH1SOGo.2yKrC9IsI38bRGiHQDfxlw", "claims": { "maxTLSCertDuration": "87660h", "defaultTLSCertDuration": "8766h" }, "options": { "x509": {}, "ssh": {} } }

The syntax to generate a certificate is:
step ca certificate "charly" \ "/home/step/certs/charly.crt" \ "/home/step/certs/charly.key" \ --f \ --issuer "charly" \ --ca-url my.step-ca.example:9000 \ --root /home/step/certs/root_ca.crt \ --not-after 2160h \ --password-file /home/step/secrets/charly.password

But I got always this error message:
The request was forbidden by the certificate authority: requested duration of 2160h1m0s is more than the authorized maximum certificate duration of 24h1m0s. Re-run with STEPDEBUG=1 for more info.

I've restarted the container for step-ca multiple times. I never get a certificate with a longer duration than 24h.

Your Environment

• OS - Docker Container
• step-ca Version - 0.28.3

Expected Behavior

Get a certificate with the defined duration (more than 24h).

Actual Behavior

step-ca ignores completley the config for claims in ca.json

Additional Context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[hslatman]

Hi @n-ice-ch, I just set up a CA configuration with the maxTLSCertDuration set to 10000h, and obtained a cert using with --not-after 500h. This works as expected on my machine, so I can't reproduce your issue. Please ensure you're updating the correct/expected configuration, and are communicating with the expected CA when requesting a certificate.