From 1e82f9652ec561cc0c84bec501976045aa01a310 Mon Sep 17 00:00:00 2001
From: "Y.Horie" <u5.horie@gmail.com>
Date: Sat, 27 Sep 2025 01:24:52 +0900
Subject: [PATCH] caddypki: check intermediate lifetime to actual root cert
 lifetime (#7272)

---
 modules/caddypki/ca.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/modules/caddypki/ca.go b/modules/caddypki/ca.go
index 6c48da6f9..5b17518ca 100644
--- a/modules/caddypki/ca.go
+++ b/modules/caddypki/ca.go
@@ -124,8 +124,6 @@ func (ca *CA) Provision(ctx caddy.Context, id string, log *zap.Logger) error {
 	}
 	if ca.IntermediateLifetime == 0 {
 		ca.IntermediateLifetime = caddy.Duration(defaultIntermediateLifetime)
-	} else if time.Duration(ca.IntermediateLifetime) >= defaultRootLifetime {
-		return fmt.Errorf("intermediate certificate lifetime must be less than root certificate lifetime (%s)", defaultRootLifetime)
 	}
 
 	// load the certs and key that will be used for signing
@@ -144,6 +142,10 @@ func (ca *CA) Provision(ctx caddy.Context, id string, log *zap.Logger) error {
 	if err != nil {
 		return err
 	}
+	actualRootLifetime := time.Until(rootCert.NotAfter)
+	if time.Duration(ca.IntermediateLifetime) >= actualRootLifetime {
+		return fmt.Errorf("intermediate certificate lifetime must be less than actual root certificate lifetime (%s)", actualRootLifetime)
+	}
 	if ca.Intermediate != nil {
 		interCert, interKey, err = ca.Intermediate.Load()
 	} else {