QPTR
QPTR

Reputation: 1690

Varying the start and end date of openssl self-signed certificates

I have these three statements to generate a self-signed cert with a root certificate that I have.

openssl genrsa -out domain.org.key
openssl req -newkey rsa:2048 -nodes -keyout domain.org.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=*.domain.org" -out domain.org.csr
openssl x509 -req -extfile <(printf "subjectAltName=DNS:domain.org,DNS:www.domain.org") -days 1 -in domain.org.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out domain.org.crt

However, over here the validity periods can be changed for only a single day. Does anyone know if there is an argument I could add to these that would let me vary the start date and the end date to the granularity of seconds, or minutes. For testing purposes, I need to create several certificates whose validity periods vary for just a few minutes. I've looked at other answers, and they suggest using the ca command:

openssl ca -config /path/to/myca.conf -in req.csr -out ourdomain.pem \
-startdate 0801010000Z -enddate 1001010000Z

But I am not sure how to combine the two since the second command only seems to be generating a key for the domain. Could anyone help combining the two commands, and or changing cert times some other way that doesn't involve changing my system time.

Upvotes: 1

Views: 1598

Answers (1)

Shane Powell
Shane Powell

Reputation: 14168

openssl command line does not provide command line options to set the start and end dates for the "x509 -req" option.

If you really need to do this, you can modify the openssl source to do what you want.

In the app\req.c you need to modify the "set_cert_times" call:

    if (days == 0) {
        /* set default days if it's not specified */
        days = 30;
    }
    if (!set_cert_times(x509ss, NULL, NULL, days))
        goto end;

int set_cert_times(X509 *x, const char *startdate, const char *enddate,
                   int days)

If you provide a startdate and enddate it will override the days parameter soyou can do this:

if (!set_cert_times(x509ss, "0801010000Z", "1001010000Z", days))
    goto end;

That will hardcode the start and end dates or with a little bit more work you can add support for the -startdate and -enddate parameters to the x509 -req processing.

Upvotes: 1

Related Questions