Default renewal time to halfway through certificates lifetime

Signed-off-by: James Munnelly <[email protected]>

Author: munnerz

manager/manager.go

@@ -18,6 +18,8 @@ package manager
 
 import (
 	"context"
+	"crypto/x509"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"math"
@@ -402,6 +404,18 @@ func (m *Manager) issue(ctx context.Context, volumeID string) error {
 		return fmt.Errorf("waiting for request: %w", err)
 	}
 
+	// Default the renewal time to be halfway through the certificate's duration.
+	// The implementation's writeKeypair function may override this value before
+	// writing to the storage layer.
+	block, _ := pem.Decode(req.Status.Certificate)
+	crt, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return fmt.Errorf("parsing issued certificate: %w", err)
+	}
+	duration := crt.NotAfter.Sub(crt.NotBefore)
+	midpoint := crt.NotBefore.Add(duration / 2)
+	meta.NextIssuanceTime = &midpoint
+
 	if err := m.writeKeypair(meta, key, req.Status.Certificate, req.Status.CA); err != nil {
 		return fmt.Errorf("writing keypair: %w", err)
 	}