Menu
I am creating my keystore with following command:
keytool -genkey -keystore myStore.keystore -keyalg RSA -keysize 1024 -alias myAlias
How could I generate one with a past expiry date (the use of this? I want to test the behavior of my app with an expired certificate).
504
You must use the openssl command to create a self-signed certificate that expires in a different value than the default value of 10 years. To do so, you must perform the following procedure: Create a private key and self-signed certificate using the openssl command.
When creating a new self-signed certificate and keystore using Java's keytool command, the default validity is 90 days. In order to extend this, you can modify the keystore creation command to include the validity parameter.
You can generate expired certificate using keytool command by using the following parameters.
-startdate
-validity
while validity parameter takes only number of days as input, startdate parameter can be used to mention since when validity begins. The format for input to startdate parameter [yyyy/mm/dd][HH:MM:SS]
Refer to this link for details http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html
173
Using the java keytool, the minimum validity for a keystore certificate can be 1 day.
EDIT: looks like there's an option for -startdate as @shyam0191 has answered.
So, you can't(correction: you can actually) generate a certificate with a past date. I suggest using the following command, which will generate a certificate with a 1-day validity and the next day you will be able to test with it:
keytool -selfcert -alias Test -genkey -keystore myStore.keystore -keyalg RSA -validity 1
or use @shyam0191's answer which will have the same end result in the end (but sooner).
30
You can use below openssl commands to generate expired certificates, which mimics the official process to sign certificates.
Note: Only tested on Linux.
#Create CA key, which means you are now the CA using root.key and root.cer to sign certificates
openssl genrsa 4096 > root.key
#Create CA certificate expired ten years later
openssl req -new -x509 -key root.key -out root.cer -days 3650
#Generates your own private key
openssl genrsa 4096 > server.key
#Build a Certificate Signing Request
openssl req -new -key server.key -out server.csr
#sign the certificate and make the certificate expired 1 day ago. Pay attention to the negative -days argument( not working on MacOS )
openssl x509 -req -in server.csr -CA root.cer -CAkey root.key -CAcreateserial -out server.cer -days -1
openssl x509 -noout -text -in server.cer
Validity
Not Before: Mar 7 09:11:13 2019 GMT
Not After : Mar 6 09:11:13 2019 GMT
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
