How to generate openssl certificate with expiry less than one day?

Question

I am trying to create CA signed End Entity certificate using openssl commands as shown below, in Linux:

# openssl genrsa -des3 -out clientkey.pem 2048
# openssl req -new -key clientkey.pem -out clientcert.csr
# cp clientkey.pem clientkey.pem.org
# openssl rsa -in clientkey.pem.org -out clientkey.pem
# openssl x509 -req -days 1 -in clientcert.csr -out clientcert.pem -CA cacert.pem -CAkey cakey.pem -CAcreateserial

Is it possible to specify the expiry time in hours, instead of days? I need to generate certificates with, say 1 hour expiry time, for some testing.

Openssl command seems to support some options to specify startdate and enddate, but I am not able to figure out how to use that. ( I am assuming enddate might support specifying date, and time).

#openssl x509 -req -startdate 120814050000Z -enddate 120814060000Z -in clientcert.csr -out clientcert.pem -CA cacert.pem -CAkey cakey.pem -CAcreateserial

unknown option 120814050000Z
usage: x509 args
.
.
-startdate      - notBefore field
-enddate        - notAfter field
.
.
-days arg       - How long till expiry of a signed certificate - def 30 days

Answer 1

The -startdate and -enddate options for the x509 command are display options. You can set specific start and end time using the ca command instead to sign the certificate.

Try something like this:

openssl ca -config /etc/openssl.cnf -policy policy_anything -out clientcert.pem -startdate 120815080000Z -enddate 120815090000Z -cert ca.pem -keyfile cakey.pem -infiles clientcert.csr

Answer 2

Step-1. Install faketime

sudo apt-get install faketime

Step-2. Generate expired certificate a day before currentdate.

faketime 'last friday 5 pm' /bin/bash -c 'openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 6 -nodes'

Step-3 Verify the certificate validity date

openssl x509 -noout -text -in cert.pem

Answer 3

Or here is another way that I have found to work

Say I want my certificate to expire in 10 mins as a test

The current date is feb 17th
The current time is 4:40pm

First I set my system date to -1 day: Feb 16th
I set my system clock to +10 mins: 4:50pm

I create my cert using openssl x509 to expire in 1 day which really means expire on today Feb 17th

openssl x509 -req -days 1 -in clientcert.csr -signkey cert.key -out ssl.crt

I then reset my system clock and time to the actual date and time and voila you have a certificate that is going to expire in 10 mins!

Obviously not the real way to do things but nice and easy for creating self signed certificates for dev use.

Answer 4

Try gossl that allows specifying cert validity start date and duration in various time units.

I developed it to overcome limitations of command line openssl. The tool is lightweight, implemented in Go, without dependencies, under MIT license.

Answer 5

You can set the -days option to 0:

openssl x509 -req -days 0 -in clientcert.csr -signkey cert.key -out ssl.crt

That will create a certificate with a notBefore and notAfter equal to the current time (ie you certificate will expire immediately).