We use a private certificate authority powered by OpenSSL to authenticate our customers. We provide a simple web-based utility which allows them to upload a CSR file for the certificate authority to sign.
At the moment, we can only issue certificates for a fixed period, currently 365 days. However, our customers have asked if they can specify the validity period of their certificates instead.
I would prefer not to have to ask the user what validity period they want, since they have to specify a validity period when they generate their CSR, and it makes sense to extract this period from the CSR when signing the certificate. However I can't work out how to do it: the normal things that OpenSSL lets you do to debug CSRs, certificates and keys don't show the relevant information: here's an example of the output of "openssl req -text -noout < csrfile":
$ openssl req -text -noout < my.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=GB, L=London, O=example.com, CN=customer/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c4:3b:11:7f:61:31:19:97:b6:26:19:01:e7:c6:
c3:d5:03:a5:f6:5a:4d:e2:03:d0:4e:76:49:d0:7f:
59:92:bf:5e:12:b3:b0:7e:20:5b:d8:a2:3f:cb:50:
c1:64:e5:48:04:c3:b2:04:e3:f2:4c:2f:0e:e2:a6:
c3:7c:36:24:dc:97:c9:f0:ba:ad:87:0f:71:45:9c:
6a:7f:d4:4c:d5:31:8e:49:a8:e4:3d:c4:ec:5e:54:
bf:f9:ba:ce:21:4c:11:15:7d:f0:d3:7a:77:f6:66:
5d:07:4e:4a:d3:0e:f0:52:0d:d9:cf:81:86:fe:9b:
c8:f8:e4:8d:d6:d1:d0:85:7f
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
5e:4c:38:59:95:e5:11:b4:a3:d5:88:1f:3c:c0:33:67:cb:b2:
14:85:73:c3:5a:b8:23:bf:1d:25:2b:a9:38:93:da:fb:67:17:
26:6c:79:07:dd:7f:3c:3f:b0:33:17:d1:c2:41:f7:c9:ce:1e:
32:1c:a1:a0:a3:50:67:56:1b:58:d9:b4:48:56:70:00:43:22:
a9:0c:17:be:67:42:f4:98:d6:d8:c0:d0:4f:6a:73:d1:a8:57:
91:3c:02:dc:dc:8f:e3:fb:48:28:06:a2:8e:8e:27:b2:39:d7:
3e:ce:63:ae:66:9b:ec:38:ee:09:77:dc:0f:91:40:ab:28:0f:
ae:a9
No mention of the requested validity period anywhere.
Any suggestions?
I've been trying to figure out how to request a specific validity period in a CSR, and as far as I can tell, the CSR simply doesn't carry that information. The CSR's structure is defined in PKCS#10 / RFC2986, and it doesn't have a field specifically for a requested validity period. The attributes and extensions that can be put in the CSR are listed in PKCS#9, and there's nothing there about validity periods. And finally, I can do a openssl asn1parse
on my generated CSRs and find that there's no validity-period-related information included regardless of what I pass to openssl req
.
I stumbled across you question while researching the validity of a CSR. As other have mentioned, the validity period is not included in the CSR, but I was curious about the -days
option a lot of people include in their examples for creating a CSR. After reading the documentation of OpenSSL it is quite clear:
-days n
when the -x509 option is being used this specifies the number of days to certify the certificate for. The default is 30 days.
and the -x509
option outputs a self signed certificate instead of a certificate request
-x509
this option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root CA. The extensions added to the certificate (if any) are specified in the configuration file. Unless specified using the set_serial option, a large random number will be used for the serial number.
Though you request for a certain validity period for your certificate, while generating the CSR, its uncertain to expect that validity to be acceptable by CA. Most CA's would prefer a predefined validity period and few CA's are OK with the requested validity period and generate the CSR accordingly. Now coming to the point, the CSR ASN.1 structure according to PKCS#10 standard does not specify the validity period. And thus you cannot extract that information from the CSR.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With