Acme v2 - does a response expose when the certificate expires?

in acme v1, i was able to get the expiry of a certificate off the response headers to /acme/new-cert

under acme v2 - and testing against pebble - i see the following:

  • ‘finalize’ endpoint to an order has an “expires”
  • the order status endpoint has an “expires” (the endpoint being a new-order’s headers’ “Location”)

after a lot of testing, these seem to be 1 second off from the “expires” encoded in the certificate itself.

should i just be parsing the signed certificate?

Yes, I think so. I don’t see anything that implies that the lifetime of a valid order resource must necessarily be related to the finalized certificate’s lifetime.

Maybe a CA can choose a 1 year lifetime for a certificate, but only keep the order around for a month.

3 Likes

That’s correct. There’s nothing in the RFC 8555 ACME API that exposes the lifetime of an issued certificate directly. You’ll want to parse the certificate returned from the valid order’s certificate URL.

3 Likes

Thanks. There RFC uses “notAfter” and “notBefore” a few times in responses, but only defines them in the context of requests. I was hoping I missed something… but i parse the certs already so it’s no big deal!