cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon smallstep

[Bug]: notBefore and notAfter values in template files are ignored

Open dncman opened this issue 3 months ago • 2 comments

Steps to Reproduce

I was playing around with template files and noticed that the notBefore and notAfter values in template files are ignored by the step-cli.

You can easily reproduce it when you use the fields notBefore and/or notAfter in a template file and create a certificate. You can see an example in the Actual behavior section.

You can use this for testing:

{
  "notBefore": "2020-01-01T00:00:00Z",
  "notAfter": "2030-01-01T00:00:00Z"
}

Your Environment

  • OS - Fedora 42
  • step CLI Version - CLI/0.28.7 (linux/amd64)

Expected Behavior

When specifing the notBefore and/or notAfter fields I would expect that the dates will be carried over to the actual certificate. The fields are visible in the certificate.go.

Actual Behavior

Image

When specifing a wrong value you can see from the error that it actually reads the value:

Image

Additional Context

My use-case for this would be to create something like standalone cert-profiles that are fully defined as code and don't need the CLI parameters. Then you can just specify the parts that change like the Subject and SAN and then just have to add the template

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

dncman avatar Oct 22 '25 15:10 dncman

Hey @dncman, thank you for opening the issue.

This is by design. The --not-before and --not-after flags can be used to set the appropriate certificate lifetime. Given that those values are more dynamic than the other parts of the template that don't depend on dynamic values, and generally should work from "~now" to some point in the future, setting hardcoded values in the template isn't the most practical way to go about this, hence the default values on the CA, provisioner, and the flags.

If you don't want to use step ca certificate with an online CA, you could look into using it with the --offline mode, which will take into account settings from the authority and provisioners: https://smallstep.com/docs/step-ca/certificate-authority-core-concepts/#offline-mode.

hslatman avatar Nov 11 '25 11:11 hslatman

@hslatman thanks for checking.

setting hardcoded values in the template isn't the most practical way to go about this

That makes sense of course. In my actual use-case I'm using relative values like for example: 0h for not-before and 2160h for not-after. Afaik they aren't supported in the tpl file directly so I tried to set the relative values in JSON file and utilizing it with --set-file. Then in the .tpl file I utlize the date sprig functions to calculate the absolute date based on the relative values. I don't have a code snippet right now but out of my head it should be possible with dateModify (see Sprig Date Functions).

I double checked if the values are supported and found this in the docs: Image

The link points to the certificate.go which contains the notBefore and notAfter fields. So I assumed they should be supported:

Image

If you don't want to use step ca certificate with an online CA, you could look into using it with the --offline mode, which will take into account settings from the authority and provisioners: https://smallstep.com/docs/step-ca/certificate-authority-core-concepts/#offline-mode.

Generally I prefer the step certificate ... commands but good to know. I'll look into this a bit more.

dncman avatar Nov 12 '25 19:11 dncman