Reputation: 1690
Varying the start and end date of openssl self-signed certificates
I have these three statements to generate a self-signed cert with a root certificate that I have.
openssl genrsa -out domain.org.key
openssl req -newkey rsa:2048 -nodes -keyout domain.org.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=*.domain.org" -out domain.org.csr
openssl x509 -req -extfile <(printf "subjectAltName=DNS:domain.org,DNS:www.domain.org") -days 1 -in domain.org.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out domain.org.crt
However, over here the validity periods can be changed for only a single day. Does anyone know if there is an argument I could add to these that would let me vary the start date and the end date to the granularity of seconds, or minutes. For testing purposes, I need to create several certificates whose validity periods vary for just a few minutes. I've looked at other answers, and they suggest using the ca command:
openssl ca -config /path/to/myca.conf -in req.csr -out ourdomain.pem \
-startdate 0801010000Z -enddate 1001010000Z
But I am not sure how to combine the two since the second command only seems to be generating a key for the domain. Could anyone help combining the two commands, and or changing cert times some other way that doesn't involve changing my system time.
Upvotes: 1
Views: 1598
Answers (1)
Reputation: 14168
openssl command line does not provide command line options to set the start and end dates for the "x509 -req" option.
If you really need to do this, you can modify the openssl source to do what you want.
In the app\req.c you need to modify the "set_cert_times" call:
if (days == 0) {
/* set default days if it's not specified */
days = 30;
}
if (!set_cert_times(x509ss, NULL, NULL, days))
goto end;
int set_cert_times(X509 *x, const char *startdate, const char *enddate,
int days)
If you provide a startdate and enddate it will override the days parameter soyou can do this:
if (!set_cert_times(x509ss, "0801010000Z", "1001010000Z", days))
goto end;
That will hardcode the start and end dates or with a little bit more work you can add support for the -startdate and -enddate parameters to the x509 -req processing.
Upvotes: 1
Related Questions
- creating self-signed certificates with open ssl on windows
- OpenSSL: explicitly set start/end date using `openssl req`?
- Make OpenSSL accept expired certificates
- How to generate openssl certificate with expiry less than one day?
- is it possible to verify certificate chain using openssl while skipping the expiry date
- How do we specify the expiry date of a certificate when creating the public key via openssl command
- Specify days (expire date) for generated self-signed certificate with openssl
- Extract requested validity period from a Certificate Signing Request using OpenSSL
- OpenSSL Self-signed Root CA certificate: Set a start date
- How to change the expiration date for a self created Certificate Authority in keychain