Detailed comments

Author: aarongable

cmd/ceremony/cert.go

@@ -258,8 +258,14 @@ func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte, tbc
 		}
 		validity := notAfter.Add(time.Second).Sub(notBefore)
 		if ct == rootCert && validity >= 9132*24*time.Hour {
+			// The value 9132 comes directly from the BRs, where it is described
+			// as "approximately 25 years". It's equal to 365 * 25 + 7, to allow
+			// for some leap years.
 			return nil, fmt.Errorf("root cert validity too large: %s >= 25 years", validity)
 		} else if (ct == intermediateCert || ct == crossCert) && validity >= 8*365*24*time.Hour {
+			// Our CP/CPS states "at most 8 years", so we calculate that number
+			// in the most conservative way (i.e. not accounting for leap years)
+			// to give ourselves a buffer.
 			return nil, fmt.Errorf("subordinate CA cert validity too large: %s >= 8 years", validity)
 		}
 		cert.NotBefore = notBefore