From f77951d058ec19835eec35f41f0e04f0edcd61a4 Mon Sep 17 00:00:00 2001
From: ValdikSS <iam@valdikss.org.ru>
Date: Sat, 30 Apr 2022 00:37:19 +0300
Subject: [PATCH] Set notBefore/notAfter to the beginning of the year

This modification adds "nodatetime" argument to build-client-full
and build-server-full which issues the certificate with notBefore
and notAfter date set to 1 Jan, with difference in the year only.

It could be useful for a VPN service to prevent client and server
certificate generation date and time disclosure.
---
 easyrsa3/easyrsa | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index cd24375..f2eb822 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -110,6 +110,8 @@ cmd_help() {
       This mode uses the <filename_base> as the X509 CN."
 			opts="
         nopass  - do not encrypt the private key (default is encrypted)
+        nodatetime - generate certificate with start and end date
+                     of 01 January 00:00:00 changing year only
         inline  - create an inline credentials file for this node" ;;
 		revoke) text="
   revoke <filename_base> [reason]
@@ -1182,6 +1184,8 @@ sign_req() {
 	crt_type="$1"
 	req_in="$EASYRSA_PKI/reqs/$2.req"
 	crt_out="$EASYRSA_PKI/issued/$2.crt"
+	start_date=$(date "+%Y")"0101000000Z"
+	end_date=$(date "+%Y" -d "$EASYRSA_CERT_EXPIRE day")"0101000000Z"
 
 	# Randomize Serial number
 	if [ "$EASYRSA_RAND_SN" != "no" ];
@@ -1317,6 +1321,7 @@ $ext_tmp"
 	# sign request
 	crt_out_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
 	easyrsa_openssl ca -utf8 -in "$req_in" -out "$crt_out_tmp" \
+		$([ "$4" = "nodatetime" ] && echo "-startdate" "$start_date" "-enddate" "$end_date") \
 		-extfile "$ext_tmp" -days "$EASYRSA_CERT_EXPIRE" -batch \
 		${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} \
 			|| die "signing failed (openssl output above may have more detail)"
@@ -1351,6 +1356,7 @@ Run easyrsa without commands for usage and commands."
 	while [ -n "$1" ]; do
 		case "$1" in
 			nopass) nopass=1 ;;
+			nodatetime) nodatetime=1 ;;
 			inline) EASYRSA_INLINE=1 ;;
 			*) warn "Ignoring unknown command option: '$1'"
 		esac
@@ -1371,7 +1377,7 @@ Matching file found at: "
 	gen_req "$name" batch ${nopass+ nopass}
 
 	# Sign it
-	( sign_req "$crt_type" "$name" batch ) || {
+	( sign_req "$crt_type" "$name" batch ${nodatetime+ nodatetime} ) || {
 		rm -f "$req_out" "$key_out"
 		die "Failed to sign '$name'"
 	}