Cert validity should not exceed 397 days for publicly trusted issuers

lemur/common/validators.py

@@ -152,6 +152,18 @@ def dates(data):
                         data["authority"].authority_certificate.not_after
                     )
                 )
+            # Allow no more than PUBLIC_CA_MAX_VALIDITY_DAYS (Default: 397) days of validity
+            # for certs issued by public CA
+            # The list of public issuers can be managed through a config named PUBLIC_CA
+            public_CA = current_app.config.get("PUBLIC_CA", [])
+            if data["authority"].name.lower() in [ca.lower() for ca in public_CA]:
+                max_validity_days = current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397)
+                if (
+                    (data.get("validity_end").date() - data.get("validity_start").date()).days
+                    > max_validity_days
+                ):
+                    raise ValidationError("Certificate cannot be valid for more than " +
+                                          str(max_validity_days) + " days")
 
     return data
 

lemur/plugins/lemur_digicert/plugin.py

@@ -82,11 +82,11 @@ def determine_end_date(end_date):
     :param end_date:
     :return: validity_end
     """
-    default_years = current_app.config.get("DIGICERT_DEFAULT_VALIDITY", 1)
-    max_validity_end = arrow.utcnow().shift(years=current_app.config.get("DIGICERT_MAX_VALIDITY", default_years))
+    default_days = current_app.config.get("DIGICERT_DEFAULT_VALIDITY_DAYS", 397)
+    max_validity_end = arrow.utcnow().shift(days=current_app.config.get("DIGICERT_MAX_VALIDITY_DAYS", default_days))
 
     if not end_date:
-        end_date = arrow.utcnow().shift(years=default_years)
+        end_date = arrow.utcnow().shift(days=default_days)
 
     if end_date > max_validity_end:
         end_date = max_validity_end