From 1958e287b089fca9b3c423fea24911890b5bf0d2 Mon Sep 17 00:00:00 2001
From: Meng Han <menghan@lyft.com>
Date: Wed, 16 Oct 2024 08:49:33 -0700
Subject: [PATCH] address comments

---
 .../services/certificate_authority/customca.py      | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/confidant/services/certificate_authority/customca.py b/confidant/services/certificate_authority/customca.py
index 8d602f8f..32ac1495 100644
--- a/confidant/services/certificate_authority/customca.py
+++ b/confidant/services/certificate_authority/customca.py
@@ -45,7 +45,7 @@ class CustomCertificateAuthority(CertificateAuthorityBase):
     """
 
     def __init__(self, ca_env: str):
-        self.ca_id = ca_env
+        self.ca_env = ca_env
         self.active_ca_id = None
         self.ca_json = self._get_ca_in_json(ca_env)
         self.ca_certificate = self._load_ca_certificate(self.ca_json)
@@ -91,7 +91,9 @@ def _load_ca_certificate(self, ca_json):
 
     def _load_rootca_certificate(self, ca_json):
         if "rootcrt" not in ca_json or not ca_json["rootcrt"]:
-            logger.warning("Custom CA has no root CA certificate provided")
+            logger.warning(
+                "Custom CA %s has no root CA certificate provided", self.ca_env
+            )
             return None
         return x509.load_pem_x509_certificate(
             ca_json["rootcrt"].encode("utf-8")
@@ -100,6 +102,8 @@ def _load_rootca_certificate(self, ca_json):
     def _load_ca_chain(self):
         # Get the certificate in PEM format
         intermediate_ca_pem = self.encode_certificate(self.ca_certificate)
+        if not self.root_ca_certificate:
+            return intermediate_ca_pem
         root_ca_pem = self.encode_certificate(self.root_ca_certificate)
         return intermediate_ca_pem + root_ca_pem
 
@@ -126,11 +130,12 @@ def issue_certificate(self, csr_pem, validity):
         )  # Issued by our CA
         builder = builder.public_key(csr.public_key())
         builder = builder.serial_number(x509.random_serial_number())
-        builder = builder.not_valid_before(datetime.now(timezone.utc))
+        current_time = datetime.now(timezone.utc)
+        builder = builder.not_valid_before(current_time)
 
         acceptable_validity = min(validity, self.settings["max_validity_days"])
         builder = builder.not_valid_after(
-            datetime.now(timezone.utc) + timedelta(days=acceptable_validity)
+            current_time + timedelta(days=acceptable_validity)
         )
 
         # add basic constraints extension, restricted for end entity