How to generate openssl certificate with expiry less than one day?

Question

I am trying to create CA signed End Entity certificate using openssl commands as shown below, in Linux:

# openssl genrsa -des3 -out clientkey.pem 2048 # openssl req -new -key clientkey.pem -out clientcert.csr # cp clientkey.pem clientkey.pem.org # openssl rsa -in clientkey.pem.org -out clientkey.pem # openssl x509 -req -days 1 -in clientcert.csr -out clientcert.pem -CA cacert.pem -CAkey cakey.pem -CAcreateserial 

Is it possible to specify the expiry time in hours, instead of days? I need to generate certificates with, say 1 hour expiry time, for some testing.

Openssl command seems to support some options to specify startdate and enddate, but I am not able to figure out how to use that. ( I am assuming enddate might support specifying date, and time).

#openssl x509 -req -startdate 120814050000Z -enddate 120814060000Z -in clientcert.csr -out clientcert.pem -CA cacert.pem -CAkey cakey.pem -CAcreateserial  unknown option 120814050000Z usage: x509 args . . -startdate      - notBefore field -enddate        - notAfter field . . -days arg       - How long till expiry of a signed certificate - def 30 days 

Answer 1

The -startdate and -enddate options for the x509 command are display options. You can set specific start and end time using the ca command instead to sign the certificate.

Try something like this:

openssl ca -config /etc/openssl.cnf -policy policy_anything -out clientcert.pem -startdate 120815080000Z -enddate 120815090000Z -cert ca.pem -keyfile cakey.pem -infiles clientcert.csr 

Answer 2

Step-1. Install faketime

sudo apt-get install faketime 

Step-2. Generate expired certificate a day before currentdate.

faketime 'last friday 5 pm' /bin/bash -c 'openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 6 -nodes' 

Step-3 Verify the certificate validity date

openssl x509 -noout -text -in cert.pem