CertificateObject: Enable auto-reload for cacert & Add buildChain & Fixes (#3607)

2025-04-30 09:18:34 +00:00 · 2024-07-29 14:58:58 +08:00 · 2024-07-29 14:58:58 +08:00 · 4531a7e228
commit 4531a7e228
parent a342db3e28
5 changed files with 163 additions and 125 deletions
--- a/common/protocol/tls/cert/cert.go
+++ b/common/protocol/tls/cert/cert.go
@ -149,10 +149,6 @@ func Generate(parent *Certificate, opts ...Option) (*Certificate, error) {
 		BasicConstraintsValid: true,
 	}

-	for _, opt := range opts {
-		opt(template)
-	}
-
 	parentCert := template
 	if parent != nil {
 		pCert, err := x509.ParseCertificate(parent.Certificate)
@ -162,6 +158,17 @@ func Generate(parent *Certificate, opts ...Option) (*Certificate, error) {
 		parentCert = pCert
 	}

+	if parentCert.NotAfter.Before(template.NotAfter) {
+		template.NotAfter = parentCert.NotAfter
+	}
+	if parentCert.NotBefore.After(template.NotBefore) {
+		template.NotBefore = parentCert.NotBefore
+	}
+
+	for _, opt := range opts {
+		opt(template)
+	}
+
 	derBytes, err := x509.CreateCertificate(rand.Reader, template, parentCert, publicKey(selfKey), parentKey)
 	if err != nil {
 		return nil, errors.New("failed to create certificate").Base(err)