test: Update cert-checker & ca configs to match prod (#8303)

Author: jprenken

test/config-next/ca.json

@@ -54,39 +54,46 @@
 		"issuance": {
 			"certProfiles": {
 				"legacy": {
+					"omitCommonName": false,
+					"omitKeyEncipherment": false,
+					"omitClientAuth": false,
+					"omitSKID": false,
 					"includeCRLDistributionPoints": true,
 					"maxValidityPeriod": "7776000s",
 					"maxValidityBackdate": "1h5m",
 					"lintConfig": "test/config-next/zlint.toml",
 					"ignoredLints": [
 						"w_subject_common_name_included",
+						"e_dnsname_not_valid_tld",
 						"w_ext_subject_key_identifier_not_recommended_subscriber"
 					]
 				},
-				"modern": {
+				"shortlived": {
 					"omitCommonName": true,
 					"omitKeyEncipherment": true,
 					"omitClientAuth": true,
 					"omitSKID": true,
 					"includeCRLDistributionPoints": true,
-					"maxValidityPeriod": "583200s",
+					"maxValidityPeriod": "160h",
 					"maxValidityBackdate": "1h5m",
 					"lintConfig": "test/config-next/zlint.toml",
 					"ignoredLints": [
-						"w_ext_subject_key_identifier_missing_sub_cert"
+						"w_ext_subject_key_identifier_missing_sub_cert",
+						"e_dnsname_not_valid_tld"
 					]
 				},
-				"shortlived": {
+				"modern": {
 					"omitCommonName": true,
 					"omitKeyEncipherment": true,
 					"omitClientAuth": true,
 					"omitSKID": true,
 					"includeCRLDistributionPoints": true,
-					"maxValidityPeriod": "160h",
+					"maxValidityPeriod": "583200s",
 					"maxValidityBackdate": "1h5m",
 					"lintConfig": "test/config-next/zlint.toml",
 					"ignoredLints": [
-						"w_ext_subject_key_identifier_missing_sub_cert"
+						"w_ext_subject_key_identifier_missing_sub_cert",
+						"e_dnsname_not_valid_tld"
 					]
 				}
 			},

test/config-next/cert-checker.json

@@ -10,12 +10,14 @@
 		"badResultsOnly": true,
 		"checkPeriod": "72h",
 		"acceptableValidityDurations": [
-			"7776000s"
+			"7776000s",
+			"160h"
 		],
 		"lintConfig": "test/config-next/zlint.toml",
 		"ignoredLints": [
-			"w_subject_common_name_included",
 			"w_ext_subject_key_identifier_missing_sub_cert",
+			"w_subject_common_name_included",
+			"e_dnsname_not_valid_tld",
 			"w_ext_subject_key_identifier_not_recommended_subscriber"
 		],
 		"ctLogListFile": "test/ct-test-srv/log_list.json",

test/config/ca.json

@@ -55,45 +55,52 @@
 		"issuance": {
 			"certProfiles": {
 				"legacy": {
-					"allowMustStaple": true,
+					"allowMustStaple": false,
+					"omitCommonName": false,
+					"omitKeyEncipherment": false,
+					"omitClientAuth": false,
+					"omitSKID": false,
 					"omitOCSP": true,
 					"includeCRLDistributionPoints": true,
 					"maxValidityPeriod": "7776000s",
 					"maxValidityBackdate": "1h5m",
 					"lintConfig": "test/config-next/zlint.toml",
 					"ignoredLints": [
 						"w_subject_common_name_included",
+						"e_dnsname_not_valid_tld",
 						"w_ext_subject_key_identifier_not_recommended_subscriber"
 					]
 				},
-				"modern": {
-					"allowMustStaple": true,
+				"shortlived": {
+					"allowMustStaple": false,
 					"omitCommonName": true,
 					"omitKeyEncipherment": true,
 					"omitClientAuth": true,
 					"omitSKID": true,
 					"omitOCSP": true,
 					"includeCRLDistributionPoints": true,
-					"maxValidityPeriod": "583200s",
+					"maxValidityPeriod": "160h",
 					"maxValidityBackdate": "1h5m",
 					"lintConfig": "test/config-next/zlint.toml",
 					"ignoredLints": [
-						"w_ext_subject_key_identifier_missing_sub_cert"
+						"w_ext_subject_key_identifier_missing_sub_cert",
+						"e_dnsname_not_valid_tld"
 					]
 				},
-				"shortlived": {
-					"allowMustStaple": true,
+				"modern": {
+					"allowMustStaple": false,
 					"omitCommonName": true,
 					"omitKeyEncipherment": true,
 					"omitClientAuth": true,
 					"omitSKID": true,
 					"omitOCSP": true,
 					"includeCRLDistributionPoints": true,
-					"maxValidityPeriod": "160h",
+					"maxValidityPeriod": "583200s",
 					"maxValidityBackdate": "1h5m",
 					"lintConfig": "test/config-next/zlint.toml",
 					"ignoredLints": [
-						"w_ext_subject_key_identifier_missing_sub_cert"
+						"w_ext_subject_key_identifier_missing_sub_cert",
+						"e_dnsname_not_valid_tld"
 					]
 				}
 			},

test/config/cert-checker.json

@@ -10,11 +10,13 @@
 		"badResultsOnly": true,
 		"checkPeriod": "72h",
 		"acceptableValidityDurations": [
-			"7776000s"
+			"7776000s",
+			"160h"
 		],
 		"ignoredLints": [
-			"w_subject_common_name_included",
 			"w_ext_subject_key_identifier_missing_sub_cert",
+			"w_subject_common_name_included",
+			"e_dnsname_not_valid_tld",
 			"w_ext_subject_key_identifier_not_recommended_subscriber"
 		],
 		"ctLogListFile": "test/ct-test-srv/log_list.json"