Limit generated certs to 200 days to match new CAB rules

pimterry · pimterry · commit 2d3f7fb768b6 · 2026-03-10T11:02:06.000+01:00
This doesn't matter really for usage as a private CA, where generally
these don't apply, but if you're injecting Mockttp certs as a standard
system CA anywhere the resulting certificates will generally have to be
200 days max.
diff --git a/src/util/certificates.ts b/src/util/certificates.ts
@@ -378,8 +378,8 @@ class CA {
         const notBefore = new Date();
         notBefore.setDate(notBefore.getDate() - 1); // Valid from 24 hours ago
 
-        const notAfter = new Date();
-        notAfter.setFullYear(notAfter.getFullYear() + 1); // Valid for 1 year
+        // As of March 2026, public certs are limited to 200 days
+        const notAfter = new Date(notBefore.getTime() + 200 * 24 * 60 * 60 * 1000);
 
         const extensions: x509.Extension[] = [];
         extensions.push(new x509.BasicConstraintsExtension(false, undefined, true));
diff --git a/test/certificates.spec.ts b/test/certificates.spec.ts
@@ -176,12 +176,21 @@ nodeOnly(() => {
             const caCertificate = await caCertificatePromise;
             const ca = await getCA({ key: caCertificate.key, cert: caCertificate.cert, keyLength: 1024 });
 
-            const { cert, key } = await ca.generateCertificate('localhost');
+            const { cert, key, expiresAt } = await ca.generateCertificate('localhost');
 
             expect(cert.length).to.be.greaterThan(1000);
             expect(cert.split('\n')[0]).to.equal('-----BEGIN CERTIFICATE-----');
-            expect(key.length).to.be.greaterThan(1000);
+            expect(key.length).to.be.greaterThan(500);
             expect(key.split('\n')[0]).to.equal('-----BEGIN PRIVATE KEY-----');
+
+            // Cert validity must be <= 200 days (notBefore is 1 day ago, notAfter is 199 days from now)
+            const certData = new x509.X509Certificate(cert);
+            const validityDays = (certData.notAfter.getTime() - certData.notBefore.getTime()) / (1000 * 60 * 60 * 24);
+            expect(validityDays).to.be.at.most(200);
+            expect(validityDays).to.be.at.least(199);
+
+            // expiresAt should match the cert's notAfter (within 1s - cert times have second precision)
+            expect(Math.abs(expiresAt.getTime() - certData.notAfter.getTime())).to.be.at.most(1000);
         });
 
         it("should be able to generate a CA certificate that passes lintcert checks", async function () {
