Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to generate openssl certificate with expiry less than one day?

Tags:

linux

openssl

I am trying to create CA signed End Entity certificate using openssl commands as shown below, in Linux:

# openssl genrsa -des3 -out clientkey.pem 2048 # openssl req -new -key clientkey.pem -out clientcert.csr # cp clientkey.pem clientkey.pem.org # openssl rsa -in clientkey.pem.org -out clientkey.pem # openssl x509 -req -days 1 -in clientcert.csr -out clientcert.pem -CA cacert.pem -CAkey cakey.pem -CAcreateserial

Is it possible to specify the expiry time in hours, instead of days? I need to generate certificates with, say 1 hour expiry time, for some testing.

Openssl command seems to support some options to specify startdate and enddate, but I am not able to figure out how to use that. ( I am assuming enddate might support specifying date, and time).

#openssl x509 -req -startdate 120814050000Z -enddate 120814060000Z -in clientcert.csr -out clientcert.pem -CA cacert.pem -CAkey cakey.pem -CAcreateserial  unknown option 120814050000Z usage: x509 args . . -startdate      - notBefore field -enddate        - notAfter field . . -days arg       - How long till expiry of a signed certificate - def 30 days
like image 516
m.divya.mohan Avatar asked Aug 14 '12 07:08

m.divya.mohan

People also ask

How long can a self-signed certificate last?

For example, self-signed certificates usually have a one-year validity period.

How can I extend the expiry date of self-signed certificate?

Export the private key (with keytool & openssl or through the keystore-explorer UI, which is much simpler) Make a certificate signing request (with keytool or through the keystore-explorer UI) Sign the request with the private key (i.e. self-signed) Import the certificate in the store to replace the old (expired) one.

2 Answers

The -startdate and -enddate options for the x509 command are display options. You can set specific start and end time using the ca command instead to sign the certificate.

Try something like this: 

openssl ca -config /etc/openssl.cnf -policy policy_anything -out clientcert.pem -startdate 120815080000Z -enddate 120815090000Z -cert ca.pem -keyfile cakey.pem -infiles clientcert.csr
like image 55
runfa Avatar answered Oct 05 '22 22:10

runfa

Step-1. Install faketime

sudo apt-get install faketime

Step-2. Generate expired certificate a day before currentdate.

faketime 'last friday 5 pm' /bin/bash -c 'openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 6 -nodes'

Step-3 Verify the certificate validity date

openssl x509 -noout -text -in cert.pem

Certificate Validity dates - Screenshot

like image 44
Velu Avatar answered Oct 05 '22 22:10

Velu
Sign in to Comment

Related questions

Fast string search in a very large file
"git add" returning "fatal: outside repository" error
How do you change the MIME type of a file from the terminal?
Use of Recv-Q and Send-Q
rdtsc accuracy across CPU cores
How to check for inf (and | or) NaN in a double variable
Linux capabilities (setcap) seems to disable LD_LIBRARY_PATH
Is it possible to signal handler to survive after "exec"?
How can I get the source code for the linux utility tail?
How can I print to the console in color in a cross-platform manner?
Watch a memory range in gdb?
Maintaining file permissions across SVN updates?
How to create a new Linux kernel scheduler
Extracting columns from text file with different delimiters in Linux
How to prevent writer starvation in a read write lock in pthreads
Setting LD_LIBRARY_PATH from inside Python
How do I move a relative symbolic link?
What is the overhead of a context-switch?
Userspace vs kernel space driver
Using ip, what does LOWER_UP mean?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!