Menu
I'm creating a little test CA with its own self-signed certificate using the following setup (using OpenSSL 1.0.1 14 Mar 2012). The issue I have is that if I look at the start date of the CAs own certificate, it creates it for tomorrow (and I'd like to use it today).
> openssl x509 -noout -startdate -enddate -in ~/my_little_ca/cacert.pem
notBefore=Jan 2 16:05:52 2015 GMT
notAfter=Feb 1 16:05:52 2015 GMT
So I dug around a little because I had the same problem with certificates I signed using the CA. For these certificates I can set the start date using the --startdate, but I cannot see a similar option for the CAs root certificate. I've tried using default_startdate in the openssl config file used when generating the CA, but that seems to be ignored for some reason?
I create the CA as follows, which is basically just taken almost verbatim from "Network Security with OpenSSL" by Pravir Chandra et al, as shown further below.
The command used is req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -verbose, but what I'd like to know is how do I set the startdate in this particular case when generating the root CAs certificate and private key? Thank you in advance.
The full script to generate the CA is below:
MYDIR=$(pwd -P)
BASEDIR=~/enigma_ca
mkdir -pv $BASEDIR
cd $BASEDIR
mkdir -pv private
chmod g-rwx,o-rwx private
mkdir -pv certs
touch index.txt
echo '01' > serial
DEFAULT_STARTDATE=$(date +'%y%m01000000Z')
cat <<EOF >openssl.cnf
[ ca ]
default_ca = my_test_ca
[ my_test_ca ]
certificate = $BASEDIR/cacert.pem
database = $BASEDIR/index.txt
new_certs_dir = $BASEDIR/certs
private_key = $BASEDIR/private/cakey.pem
serial = $BASEDIR/serial
default_crl_days = 7
default_days = 356
default_md = md5
default_startdate = $DEFAULT_STARTDATE
policy = my_test_ca_policy
x509_extensions = certificate_extensions
[ my_test_ca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress = supplied
organizationName = supplied
organizationalUnitName = optional
[ certificate_extensions ]
basicConstraints = CA:false
[ req ]
default_bits = 2048
default_keyfile = $BASEDIR/private/cakey.pem
default_md = md5
default_startdate = $DEFAULT_STARTDATE
default_days = 356
prompt = no
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
commonName = My Mini CA
stateOrProvinceName = Hampshire
countryName = UK
emailAddress = [email protected]
organizationName = My Mini CA Ltd
[ root_ca_extensions ]
basicConstraints = CA:true
EOF
OPENSSL_CONF=$BASEDIR/openssl.cnf
export OPENSSL_CONF
# Now generate self-signed certificate and generate key pair to go with it...
expect - <<EOF >> $MYDIR/ca_debug.txt
puts [concat "OPENSSL_CONF =" \$::env(OPENSSL_CONF)]
spawn openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -verbose
expect "PEM pass phrase:"
send "junk\r"
expect "PEM pass phrase:"
send "junk\r"
expect eof
EOF
706
Select File > Add/Remove Snap-in. Select Certificates and click Add. In the Certificates snap-in dialog, select Computer account and complete the wizard. Click OK.
In IIS Manager, do the following to create a self-signed certificate: In the Connections pane, select your server in the tree view and double-click Server Certificates. In the Actions pane, click Create Self-Signed Certificate. Enter a user-friendly name for the new certificate and click OK.
you can use openssl ca with the -selfsign option to create your CA self-signed certificate.
This command allows to set spefic -startdate and -enddate
For instance:
openssl genrsa -out cakey.pem 2048
openssl req -new -key cakey.pem -out ca.csr
openssl ca -config openssl.cnf -selfsign -keyfile cakey.pem -startdate 20150214120000Z -enddate 20160214120000Z
130
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
