I am trying to create CA signed End Entity certificate using openssl commands as shown below, in Linux:
# openssl genrsa -des3 -out clientkey.pem 2048
# openssl req -new -key clientkey.pem -out clientcert.csr
# cp clientkey.pem clientkey.pem.org
# openssl rsa -in clientkey.pem.org -out clientkey.pem
# openssl x509 -req -days 1 -in clientcert.csr -out clientcert.pem -CA cacert.pem -CAkey cakey.pem -CAcreateserial
Is it possible to specify the expiry time in hours, instead of days? I need to generate certificates with, say 1 hour expiry time, for some testing.
Openssl command seems to support some options to specify startdate and enddate, but I am not able to figure out how to use that. ( I am assuming enddate might support specifying date, and time).
#openssl x509 -req -startdate 120814050000Z -enddate 120814060000Z -in clientcert.csr -out clientcert.pem -CA cacert.pem -CAkey cakey.pem -CAcreateserial
unknown option 120814050000Z
usage: x509 args
.
.
-startdate - notBefore field
-enddate - notAfter field
.
.
-days arg - How long till expiry of a signed certificate - def 30 days
The -startdate and -enddate options for the x509 command are display options. You can set specific start and end time using the ca command instead to sign the certificate.
Try something like this:
openssl ca -config /etc/openssl.cnf -policy policy_anything -out clientcert.pem -startdate 120815080000Z -enddate 120815090000Z -cert ca.pem -keyfile cakey.pem -infiles clientcert.csr
Step-1. Install faketime
sudo apt-get install faketime
Step-2. Generate expired certificate a day before currentdate.
faketime 'last friday 5 pm' /bin/bash -c 'openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 6 -nodes'
Step-3 Verify the certificate validity date
openssl x509 -noout -text -in cert.pem
Or here is another way that I have found to work
Say I want my certificate to expire in 10 mins as a test
The current date is feb 17th
The current time is 4:40pmFirst I set my system date to -1 day: Feb 16th
I set my system clock to +10 mins: 4:50pm
I create my cert using openssl x509
to expire in 1 day which really means expire on today Feb 17th
openssl x509 -req -days 1 -in clientcert.csr -signkey cert.key -out ssl.crt
I then reset my system clock and time to the actual date and time and voila you have a certificate that is going to expire in 10 mins!
Obviously not the real way to do things but nice and easy for creating self signed certificates for dev use.
Try gossl that allows specifying cert validity start date and duration in various time units.
I developed it to overcome limitations of command line openssl. The tool is lightweight, implemented in Go, without dependencies, under MIT license.
You can set the -days
option to 0:
openssl x509 -req -days 0 -in clientcert.csr -signkey cert.key -out ssl.crt
That will create a certificate with a notBefore
and notAfter
equal to the current time (ie you certificate will expire immediately).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.