Skip to content

secure-files PEM certificate metadata shows certificate issue date instead of expiration date

I've found a bug in the Mobile DevOps Incubation Engineering project.

When uploading a PEM certificate to secure-files, GitLab extracts metadata from the PEM cert file including the expiration date, and shows this data in the UI as well as the API. However, it's really getting this information from the cert start date, and calling it the Expires at date.

openssl x509 -startdate -noout -in cert.pem
# ^ this is what's being shown in the metadata "Expires at"

openssl x509 -enddate -noout -in cert.pem
# ^ this is what should be shown

Impact

Anyone browsing the secure files metadata will be mislead into thinking the certificate is expired.