kubernetes-sigs
diff --git a/‎pkg/admission/cert/writer/certwriter.go
Lines changed: 42 additions & 11 deletions b/‎pkg/admission/cert/writer/certwriter.go
Lines changed: 42 additions & 11 deletions
diff --git a/‎pkg/admission/cert/writer/certwriter_test.go
Lines changed: 229 additions & 5 deletions b/‎pkg/admission/cert/writer/certwriter_test.go
Lines changed: 229 additions & 5 deletions
@@ -19,10 +19,13 @@ package writer
 import (
 	"bytes"
 	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"log"
 	"net/url"
+	"time"
 
 	admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -39,6 +42,8 @@ const (
 	ServerCertName = "cert.pem"
 )
 
+const month = 31 * 24 * time.Hour
+
 // CertWriter provides method to handle webhooks.
 type CertWriter interface {
 	// EnsureCert ensures that the webhooks have proper certificates.
@@ -91,8 +96,16 @@ func handleCommon(webhook *admissionregistrationv1beta1.Webhook, ch certReadWrit
 		return err
 	}
 
+	dnsName, err := dnsNameForWebhook(&webhook.ClientConfig)
+	if err != nil {
+		return err
+	}
 	// Recreate the cert if it's invalid.
-	if !validCert(certs) {
+	valid, err := validCert(certs, dnsName, 6*month)
+	if err != nil {
+		return err
+	}
+	if !valid {
 		log.Printf("cert is invalid or expiring, regenerating a new one")
 		certs, err = ch.overwrite(webhook.Name)
 		if err != nil {
@@ -141,19 +154,37 @@ type certReadWriter interface {
 	overwrite(webhookName string) (*generator.Artifacts, error)
 }
 
-func validCert(certs *generator.Artifacts) bool {
-	// TODO:
-	// 1) validate the key and the cert are valid pair e.g. call crypto/tls.X509KeyPair()
-	// 2) validate the cert with the CA cert
-	// 3) validate the cert is for a certain DNSName
-	// e.g.
-	// c, err := tls.X509KeyPair(cert, key)
-	// err := c.Verify(options)
+func validCert(certs *generator.Artifacts, dnsName string, validTime time.Duration) (bool, error) {
 	if certs == nil {
-		return false
+		return false, nil
 	}
+
+	// Verify key and cert are valid pair
 	_, err := tls.X509KeyPair(certs.Cert, certs.Key)
-	return err == nil
+	if err != nil {
+		return false, nil
+	}
+
+	// Verify cert is good for desired DNS name and signed by CA and will be valid for desired period of time.
+	pool := x509.NewCertPool()
+	if !pool.AppendCertsFromPEM(certs.CACert) {
+		return false, nil
+	}
+	block, _ := pem.Decode([]byte(certs.Cert))
+	if block == nil {
+		return false, nil
+	}
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return false, nil
+	}
+	ops := x509.VerifyOptions{
+		DNSName:     dnsName,
+		Roots:       pool,
+		CurrentTime: time.Now().Add(validTime),
+	}
+	_, err = cert.Verify(ops)
+	return err == nil, nil
 }
 
 func getWebhooksFromObject(obj runtime.Object) ([]admissionregistrationv1beta1.Webhook, error) {
 
@@ -154,11 +154,16 @@ var _ = Describe("handleCommon", func() {
 	var invalidCert *generator.Artifacts
 
 	BeforeEach(func(done Done) {
-		webhook = &admissionregistration.Webhook{}
+		url := "https://example.com/admission"
+		webhook = &admissionregistration.Webhook{
+			ClientConfig: admissionregistration.WebhookClientConfig{
+				URL: &url,
+			},
+		}
 		cert = &generator.Artifacts{
-			CACert: []byte(`CACertBytes`),
-			Cert:   []byte(certPEM),
-			Key:    []byte(keyPEM),
+			CACert: []byte(pair1CA),
+			Cert:   []byte(pair1Cert),
+			Key:    []byte(pair1Key),
 		}
 		invalidCert = &generator.Artifacts{
 			CACert: []byte(`CACertBytes`),
@@ -188,7 +193,11 @@ var _ = Describe("handleCommon", func() {
 			certrw := &fakeCertReadWriter{
 				readCertAndErr: []certAndErr{
 					{
-						err:  notFoundError{errors.NewNotFound(schema.GroupResource{}, "foo")},
+						err: notFoundError{errors.NewNotFound(schema.GroupResource{}, "foo")},
+					},
+				},
+				writeCertAndErr: []certAndErr{
+					{
 						cert: cert,
 					},
 				},
@@ -198,6 +207,7 @@ var _ = Describe("handleCommon", func() {
 			Expect(err).NotTo(HaveOccurred())
 			Expect(certrw.numReadCalled).To(Equal(1))
 			Expect(certrw.numWriteCalled).To(Equal(1))
+			Expect(certrw.numOverwriteCalled).To(Equal(0))
 		})
 
 		It("should return the error on failed write", func() {
@@ -218,6 +228,7 @@ var _ = Describe("handleCommon", func() {
 			Expect(err).To(MatchError(goerrors.New("failed to write")))
 			Expect(certrw.numReadCalled).To(Equal(1))
 			Expect(certrw.numWriteCalled).To(Equal(1))
+			Expect(certrw.numOverwriteCalled).To(Equal(0))
 		})
 	})
 
@@ -234,6 +245,8 @@ var _ = Describe("handleCommon", func() {
 			err := handleCommon(webhook, certrw)
 			Expect(err).NotTo(HaveOccurred())
 			Expect(certrw.numReadCalled).To(Equal(1))
+			Expect(certrw.numWriteCalled).To(Equal(0))
+			Expect(certrw.numOverwriteCalled).To(Equal(0))
 		})
 
 		It("should return the error on failed read", func() {
@@ -248,6 +261,8 @@ var _ = Describe("handleCommon", func() {
 			err := handleCommon(webhook, certrw)
 			Expect(err).To(MatchError(goerrors.New("failed to read")))
 			Expect(certrw.numReadCalled).To(Equal(1))
+			Expect(certrw.numWriteCalled).To(Equal(0))
+			Expect(certrw.numOverwriteCalled).To(Equal(0))
 		})
 	})
 
@@ -269,6 +284,7 @@ var _ = Describe("handleCommon", func() {
 			err := handleCommon(webhook, certrw)
 			Expect(err).NotTo(HaveOccurred())
 			Expect(certrw.numReadCalled).To(Equal(1))
+			Expect(certrw.numWriteCalled).To(Equal(0))
 			Expect(certrw.numOverwriteCalled).To(Equal(1))
 		})
 
@@ -289,6 +305,7 @@ var _ = Describe("handleCommon", func() {
 			err := handleCommon(webhook, certrw)
 			Expect(err).NotTo(HaveOccurred())
 			Expect(certrw.numReadCalled).To(Equal(1))
+			Expect(certrw.numWriteCalled).To(Equal(0))
 			Expect(certrw.numOverwriteCalled).To(Equal(1))
 		})
 
@@ -413,3 +430,210 @@ var _ = Describe("dnsNameForWebhook", func() {
 		})
 	})
 })
+
+// pair1 is for DNS name: example.com
+var pair1Cert = []byte(`
+-----BEGIN CERTIFICATE-----
+MIIC2TCCAcGgAwIBAgIIfnO/uBlD+jMwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UE
+AxMPd2ViaG9vay1jZXJ0LWNhMB4XDTE4MDcxMDIyMTgxN1oXDTE5MDcxMDIyMTgx
+OFowFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDRWApXn6WIAw2ZU/q2WPU2X0I4brwZvvx3UBIKGYE6rxirWpNC
+zBBsK4lnn+5BTiS2cE59jZ1AAp1hwzlmmrok7PXQJuUX7rojIJ1JG3OqZAvVKv0y
+Hu7naPLR0mF51goEolsq79/6RMFEHnEG/PW/EHOSrmL+alENWhTANUBlwMQ/1J8P
+EnayvrX3RynNA98WOiKDpsFcj53pXd2zUlPZ5tht7HafWrkK/g8kZAe/b1XAlFaY
+usPOyhJFPiBYRatIRt7Txb582qHd85VeKkrjat3yfEQqsA52r0CmOot52RG+8uXr
+smuBGjtMYmsUiwn5f4UMCT3gqrWaHfOdais7AgMBAAGjJzAlMA4GA1UdDwEB/wQE
+AwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAGAEm
+X6IL/A4DhmlcmedS9oCmp4qtyE3at4xU+7GIQ6fVMUAKpbXnXl5FEH+cuEbdzfTW
+DDCXxnpQmK6TJR+IEjmyNv1AOOLXiHiTCQVzz1rTyJN8mhUSRuoLC3KjfdI3Ccl2
+VwLm3IYQlEY/BQr7XiRLFws1ilVl04iSwwQEKiCmAe/9yZEPvH9l9USVoLvtJJc8
+t95PX4eUGYPGyO6nQWGX/4HvUo26XBXFEv+q2Lu5aOKhro4VF12p3nqkxG+kOmp1
+IF+79qBdgMtQfaKazRkAG2iWPPz6W6WvVGaczvodX7B0JCe+b9+Vd3zY2w5vaZq6
+JHVoxUBuexCYndPf8w==
+-----END CERTIFICATE-----
+`)
+
+var pair1Key = []byte(`
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA0VgKV5+liAMNmVP6tlj1Nl9COG68Gb78d1ASChmBOq8Yq1qT
+QswQbCuJZ5/uQU4ktnBOfY2dQAKdYcM5Zpq6JOz10CblF+66IyCdSRtzqmQL1Sr9
+Mh7u52jy0dJhedYKBKJbKu/f+kTBRB5xBvz1vxBzkq5i/mpRDVoUwDVAZcDEP9Sf
+DxJ2sr6190cpzQPfFjoig6bBXI+d6V3ds1JT2ebYbex2n1q5Cv4PJGQHv29VwJRW
+mLrDzsoSRT4gWEWrSEbe08W+fNqh3fOVXipK42rd8nxEKrAOdq9ApjqLedkRvvLl
+67JrgRo7TGJrFIsJ+X+FDAk94Kq1mh3znWorOwIDAQABAoIBAQDM3MFSOnL9BS/b
+qmkg5TEiQlpFa2g8McBS6lKc+5SRXyRfG8YciiJQGNLgS4wW8GfQ+Vp2V41ZRLXL
+JAcaN7SNyi5LwqRSpVYWZiZFks3AIyPJOcaJs+fLIdLuLlkhp6oqGs/o1tFy0rHm
+/XtSgV3j2i+fjXRm0Jf83viLmBErAJCgo+TD9dS7VCzdCDtiZpKHUq8EvQD9FRzF
+P3B59LHCTcCFBB+j8l9aE96eWsEXcuFUdghB+w0C85MTR3FEIDPd29mbXgZ3AlS3
+FwIatBargbhuyudNie/AusngCZZ1BxAUvIg3Nk/fI3Wgy8lPy4fF/tgJLUmAhDew
+vJ7j804xAoGBANOfVofdyPnAJJSTKG9ELkaG6pwseLrokcHQhVDXm+RAfk18OGUh
+W2mc/DpRtVPPGKoiylirE29qB9E5fywJVaEkEjd2Tb2TQPjDOKwMhJTGnrbvlhpr
+0/Zo70G5BqHn9EHMixdsNrSNwau1RYhLOfTpb9w4hzVntzJAAGK/l/MtAoGBAP0+
+YkVuqwyN6ct8ct7tgwFRH75SV4HoARwKrsZZKlCAGGc7WsfYmXx8Tu5eXEkhMDpN
+4wpj44squdj6+JFJEGdk2POwPa2onwCirbffImF/0AZHHm/WRxrQMlqcfnE+TYAr
+tQJZtlTi1tRXYGqDC2PR2lrejTDmjgtyfsWYA7kHAoGAQZuemhS6YCOfs6hD2usK
+ZbciOTTYYSoFNk9NZZjSrdsIzUD7wu6qhn2y/OmkC82i2exbS04OgnYe4lCvCpoC
+QCkMtMEqrOFgPT9Y7I4c9Hr3bcOth5dyaWxy8K9KTRu6cEPXw3U7KJLiPje+zNh1
+qWZN1bp4wKfc9ek9tV+s3ikCgYAulAjTKHXBi2CTEsK2Cg1scpVaFh8OP7Pkinp2
+9PN5dvYGFr6tv0MLyHlkEmr68GXEc4rs4E57zFH+fLq3Ti78NWpJ+AKALGGCZml5
+Rks2j6GdZftNKqZNYjnAvMPs5D6w8lkKo6GLn2VQDPoo3Q19QJ3e1Mw3UFCT/m0e
+vsUAhQKBgGNiN6EyMAcRn8Wh5kyY5jStDQKtID0reFUYf0VZcfNf8KSKqhJzHy8X
+S7R8Pq3QKiWo86tqFrA1PgcwD/69m5SzFo1JPWzDSiiLvwcigsurEoK1m3zUpSC0
+gD2teD4DuJSvS19WvRebC3035/qYOrmv2PAIaKSiYNzcGmDSOX9A
+-----END RSA PRIVATE KEY-----
+`)
+
+var pair1CA = []byte(`
+-----BEGIN CERTIFICATE-----
+MIIC0jCCAbqgAwIBAgIBADANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw93ZWJo
+b29rLWNlcnQtY2EwHhcNMTgwNzEwMjIxODE3WhcNMjgwNzA3MjIxODE3WjAaMRgw
+FgYDVQQDEw93ZWJob29rLWNlcnQtY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDkXTPy5gJAjigEgyDU/+kEdAoTZKkaLXv45rJqLIozSyV/DveF1F6m
+/0C9K8IIAIM5T6TsYsS0BhD2CM/wWi1flXcG25vtA7n8RHuklkZqGx/LfKzdkElW
++lETAAtcIIiJrTS1JLxfzRaeFMdmiRF+hByfRtWiMOG+yYzQp6VmI72FU6u/5PcA
+NInDuYx9iIjov6FEmK2nSJpZY7Z4UNCpQAui3IsajAtM0T+mnX2O3PA85ELtzZis
+hLSfnG3dQum7JtjA47co48W20BV43fiIZTyA16oMJirOW8Y/XNVaXvUduFSkhskf
+w5mNRL+NQcjaXuZxslpg4KDPWNWM1EIVAgMBAAGjIzAhMA4GA1UdDwEB/wQEAwIC
+pDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQDMxCy8Uvf1JHFP
+xtetGeeXs5lA9lFaxHlhsHfpGkuFd0exrNZTbNx4BJ2fwkmAreiJ9G5ykNcxFAx5
+8T1ri02elRDUQUkUSk1CYOvRjL7Tb2tXVOfPKUuNp8KX4YyQ+8H6QRi9Sz02AJ2U
+mNsQ+hnzKYNm4ew8gdmoUNzdPpovSo/GWmETScVV30i+odlA7yyww2MTWoZYXApI
+TW0pve7WWIK9L7sqmUwLS4ib0IoqcRCNuoMrz/ddDTkIxLmzWhVh3E72xWmXOnlm
+asdwRTGdlUKCvEN4BJMc99NswRPr3HwHHFOyf49LeDY+oZ1JcukGyVJNIjOat9Nk
+NU/8tP41
+-----END CERTIFICATE-----
+`)
+
+// pair 2 is for DNS name: test-service.test-svc-namespace.svc
+var pair2Cert = []byte(`
+-----BEGIN CERTIFICATE-----
+MIIC8TCCAdmgAwIBAgIIM5wsxq4y7pkwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UE
+AxMPd2ViaG9vay1jZXJ0LWNhMB4XDTE4MDcxMDIzMDAzM1oXDTE5MDcxMDIzMDAz
+M1owLjEsMCoGA1UEAxMjdGVzdC1zZXJ2aWNlLnRlc3Qtc3ZjLW5hbWVzcGFjZS5z
+dmMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7SNlyOM4k/HpYka+i
+Mt+INws+a+qQMVWsazjNfeeP83ckMjVQzfIhmUGhBKxruqqJ9GqxWQtKWieBVTC8
+mIoj00k3oF/r8V+DArOUcmTs0hHBhL+KMwtKMk1hYvHoiz7xwNtHNIhPy1n2z4zR
+kLkqhe/rQz55jLv6p6nJ9weHEsjgrTmzHNhvE1c/bII80Q4LH9dx+VUmLCoUfY5s
+byYOJJD5u0s9OxwKoPFFKPFRCsOj9lUhkmt6AArcAGBi5WXsc3faaF3vATRQ3v8E
+Gy6L0TqA1PRiP1taeperB0NBMNhiwtaKrXfQ5l9fMjWXGnn7WuuiAwVFIXhNR7ZN
+CwjrAgMBAAGjJzAlMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcD
+ATANBgkqhkiG9w0BAQsFAAOCAQEAQlO4peuNKtUHeXQ231LFNrTVg08dIEnHcuOk
+laUfeUoKE5ifNjdQBArtcECFlgGqSXEBS+fQnM9BEV2f6/ANyabPXmKugXWPpQEN
+uzCduxVSnBYqq28KtJ3Yj0SgPiQ/Wawn/6t5r/RSdkIymDzR4Wb1kL7oaMCGjeRc
+GAooblrPq3dKxJPi163BpxH0iL9Id4ZU4agFV12gUjv7IaHlzhWN+OkyaRRDKR59
+USlbVnnjNqFoNwzxfEcVZlCSGwSmx8LxpcYbaclnka2BmSKZSaxlQlNWKhZHXi8M
+CrJdMmDbdPjR/GC87Ub1XRATpZtvyR3enDrrArHHfblCNNTALQ==
+-----END CERTIFICATE-----
+`)
+
+var pair2Key = []byte(`
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAu0jZcjjOJPx6WJGvojLfiDcLPmvqkDFVrGs4zX3nj/N3JDI1
+UM3yIZlBoQSsa7qqifRqsVkLSlongVUwvJiKI9NJN6Bf6/FfgwKzlHJk7NIRwYS/
+ijMLSjJNYWLx6Is+8cDbRzSIT8tZ9s+M0ZC5KoXv60M+eYy7+qepyfcHhxLI4K05
+sxzYbxNXP2yCPNEOCx/XcflVJiwqFH2ObG8mDiSQ+btLPTscCqDxRSjxUQrDo/ZV
+IZJregAK3ABgYuVl7HN32mhd7wE0UN7/BBsui9E6gNT0Yj9bWnqXqwdDQTDYYsLW
+iq130OZfXzI1lxp5+1rrogMFRSF4TUe2TQsI6wIDAQABAoIBAQCXPwfMRK/GEtfD
+OzQ5qxf2a217Ja+ybwUfTx/6Y9lj2Vy4MIv6C7elBp2HqbyM65zZ+DdJrf1+ODx7
+KA9J325/7BvO/oc4hh96L+5SzedPkX6hZ9E/jGVrsB/pq/xsrjdRCUyMvpHuzuyC
+c67ndxbyjmPo/M8xXkRY8pod7o93toQ1Pao1w2sgHx6fOMVj9l2OquFAOwM7/PMa
+ro+a2FwZHfX4Z+2AHGaCfbi6C8JgkIF4p5UkEziHbH5nxIQLKSb8nui/Zap3h9F/
+a/40TuE6oRQbZl8SJuUEZMIF08PV9QLQLo859GArdq6tEyEov/+P54JPOt8ARzwJ
+tqh4qOohAoGBANpnca1OROh3fzov03fhJLiGc0NeCjCbhEr887C0b91v/WyLGCjK
+lb+wmqxxTkWqrnAihyYZ5LGnxUbypX17weIpOWdOo1UO+AFxn4qD3K6mhWuNyn9+
+dlCoYcsBIKrLygCjmkvWcAq03g1bxykYNHPg+SSE+JCzyDPMDRRpWwh5AoGBANuG
+CpxjOtHL5lj9LoI5QTK3X3LuBVtIAu+lT5lRTKacnU21eEyO3XnX0BlQx8Z+SYKk
+DVLdHJ1bhqra2+1cprsFW6VPOn7hjaiCmoHqy/aJ4F3eeMtuCPOUG+In/b8swaXV
+V/dPbimiizKaeg/BohAz+8j1I9khxNvn+05lvIuDAoGBAMevbLAXr8kb+Kcqsx4Y
+K4rK4vflM0vd5MbrH6OgVecQTZTAWAZzsxbgUYr4zafEtliwOQENC5ui2SxVDhn8
+3Pf62RErRQqv9PDdAhGTHmJQvgvoSAzpgyOb0E3bahK+4KJU8u4D0cz4MU3la+KW
+zt5kA2bwbJNgzNsO5aaT7TeBAoGBALxyJbu4Ry8ADV6JARrTEY/68FoVz81bVQHp
+9BnWO6mvOi4SQRHfdmp5A/Anc0eG843NTI68tyqx/jm/JRpu9cYIRHL1P27aKyPj
+8cTjDXI3S77pEuL3M4H9u635zI8HWbkFGr13l0bwfPPUvkG2ZGvqZBNPtRVZMsfg
+LdBP73oHAoGAdiwCHndHuylxNeL3rB6GYdfBh/gHMidb5v+tDrvzQuryb/CH3Sby
+rWDh2D/KVWeil1fn00/fIIt11dR1vQ9r7/X+hlzZq0xZbbKogPeXgvgmO34wSyha
+8ar7jKsQwVsE/FAqryItE93Mw0ogheEUTrDxD1vEe4xYRi8Jk+pJKDY=
+-----END RSA PRIVATE KEY-----
+`)
+
+var pair2CA = []byte(`
+-----BEGIN CERTIFICATE-----
+MIIC0jCCAbqgAwIBAgIBADANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw93ZWJo
+b29rLWNlcnQtY2EwHhcNMTgwNzEwMjMwMDMzWhcNMjgwNzA3MjMwMDMzWjAaMRgw
+FgYDVQQDEw93ZWJob29rLWNlcnQtY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCqHWHCyD33VaZ1WpPFFymAmypXQL1S/ZCmNygDgni7IRpseA70H0bb
+Wp2KRO7rp/ggtIGVNqj1R99GLf4w22oN5I2ENHL2BSEIccFG0KCovHuec/2I6gAk
+ZpMZROwp9TUL207ArB13oNyY6XBWIDOriPdC2oXj5JHkge9895FgjuBxN80xzjs+
+KpACRBa6iJy8xuCqrxc57zFcfKLxi5rdRAznhAuuCsPfOndZANZhknDv9lSyXll+
+uJVBo4+p62i8lz3+6TxO0NgAw7Ddw3N8lxq2WiGX5eUu6Goha7skG6OZrIAkQeHs
+O9aIPGouLNYIAQjl4xtsB1JLGKi40KgNAgMBAAGjIzAhMA4GA1UdDwEB/wQEAwIC
+pDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAlP5qFvH3G9JXF
+GxHm3nhcwBtez/NjbohhtoiwxY8vqEas3JtD5TKujew5m774ddNZUL29yr9Bumz3
+HxTMT9WF7WV3pORRqQ23phjEgkl2kAoQMaCca5bLOUq7g/aEna66Ep3AcSbbaONG
+VntKif6kU79jx40NS8fvqcKOYEFYDCk5xmGH//xf8l0Mt3CKI0DrWUTiVfImsYEy
+VrQIySVlmWA0awlOB4/fB7/3slf1nBWXY1tiIOQpc6K4mbJjHcSekp5T8GrR38Se
+Vvnwc7+eaaZECqlPF108hrIShJoDW0BvnY23Y1vJlMHb7BPjTu7rlu4+aHvn2HX4
+KkYt/5rj
+-----END CERTIFICATE-----
+`)
+
+var _ = Describe("validate cert", func() {
+	Context("invalid pair", func() {
+		It("should detect it", func() {
+			certs := generator.Artifacts{
+				CACert: pair1CA,
+				Cert:   pair1Cert,
+				Key:    pair2Key,
+			}
+			valid, err := validCert(&certs, "example.com", 6*month)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(valid).To(BeFalse())
+		})
+	})
+
+	Context("CA not matching", func() {
+		It("should detect it", func() {
+			certs := generator.Artifacts{
+				CACert: pair2CA,
+				Cert:   pair1Cert,
+				Key:    pair1Key,
+			}
+			valid, err := validCert(&certs, "example.com", 6*month)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(valid).To(BeFalse())
+		})
+	})
+
+	Context("DNS name not matching", func() {
+		It("should detect it", func() {
+			certs := generator.Artifacts{
+				CACert: pair1CA,
+				Cert:   pair1Cert,
+				Key:    pair1Key,
+			}
+			valid, err := validCert(&certs, "foo.com", 6*month)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(valid).To(BeFalse())
+		})
+	})
+
+	Context("gen a cert valid for 1 year", func() {
+		var certs *generator.Artifacts
+		var err error
+		BeforeEach(func(done Done) {
+			gen := &generator.SelfSignedCertGenerator{}
+			certs, err = gen.Generate("example.com")
+			Expect(err).NotTo(HaveOccurred())
+			close(done)
+		}, 10)
+		It("expiration detection should work", func() {
+			valid, err := validCert(certs, "example.com", 11*month)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(valid).To(BeTrue())
+
+			valid, err = validCert(certs, "example.com", 13*month)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(valid).To(BeFalse())
+		})
+	})
+})