Scenario 3: Mandate a policy for certificate renewal

This scenario is for mandating a policy that allows users to renew their certificates only when certificates are within 30 days of expiring. When the condition is met, you can change the expiration date for the renew request so that the new certificate's validity period is extended by the number of days that are specified by the NotAfter parameter. In other words, the new certificate should expire n days from the current date, where n = number of days left in the old certificate's validity period + number of days specified by NotAfter.

The preprocessing exit routine call for GENRENEW and REQRENEW functions (subroutine preProcessGenReqRenewExit) handles the preceding logic. Here are the steps:
  • The user's certificate is extracted from the environment variable HTTPS_CLIENT_CERT.
  • The NotAfter value is extracted from the input parameters (argv), converted to a number, and saved in the variable RequisitePro.
  • Subroutine determineExpiration is called to extract the expiration date from the user's certificate. This subroutine calls several lower subroutines to base64 decode the certificate, DER decode the binary certificate, and convert the expiration date to a seconds value.
  • Upon return from determineExpiration, the variable timeBeforeExp is the number of seconds from now that the certificate expires. This is compared against the number of seconds in 30 days (86400 × 30) to see if it is greater than 30 days.
    • If it is greater than 30, the request is rejected by setting return code 8.
    • If it is not greater than 30, the new NotAfter value is computed as timeBeforeExp/86400 + requestPeriod.
  • This new NotAfter value is set by writing it to STDOUT.
Parent topic: Scenarios for using the exit routine