Specify days (expire date) for generated self-signed certificate with openssl

Question

I haven't found where can I ask this question, but looks like it is the right place.

With following command I can generate self-signed certificate for Certification authority (CA):

$ openssl req -new -x509 -days 3650 -config ./openssl/ca.cnf -key ./dist/ca_key.pem -out ./dist/ca_cert.pem

You can see option -days that set end date. And if I check generated certificate I see that days option work:

$ openssl x509 -enddate -noout -in ./dist/ca_cert.pem
notAfter=Aug 23 11:29:57 2028 GMT

And in all places/tutorials people use days option too.

However how can I specify the same option in .cnf config? I investigated a lot of articles but nothig seems to work (ca.cnf):

[ ca ]
default_ca      = my_ca
default_days    = 3650 # does not work
days            = 3650 # does not work

[ my_ca ]
...
default_days    = 3650 # does not work
days            = 3650 # does not work
...

[ req ]
...
default_days    = 3650 # does not work
days            = 3650 # does not work
...

None of above works, if I do not use -days option:

$ openssl req -new -x509 -config ./openssl/ca.cnf -keyout ./dist/ca_key.pem -out ./dist/ca_cert.pem
$ openssl x509 -enddate -noout -in ./dist/ca_cert.pem
notAfter=Sep 25 11:38:48 2018 GMT

You can see that default 30 days had been used.

Where in .cnf config I must specify -days option?

Answer 1

Looking at its source code, it seems that the req tool does not support reading the number of days from the configuration file. The variable days only gets modified in a few obvious places.

This is different in the ca tool, where you can see the number of days being read from the configuration file here.

There are several ways to generate a self-signed certificate for the CA. Using the req tool seems popular for that, probably because you can do it in a one-liner. Another option, which I prefer, is to (additionally) use the ca tool, just like you would with any certificate. That way, even your self-signed CA certificate ends up in the CA-administration. It also happens to provide you a way to do what you are asking for, with the default_days configuration option in the my_ca section.

As an example, you could achieve the with the following commands. First create a certificate signing request (CSR), with a key-pair being generated simultaneously:

openssl req -newkey rsa:2048 -keyout dist/ca_key.pem -out ca_csr.pem -config openssl/ca.cnf

Then submit the CSR to the CA, just like you would with any CSR, but with the -selfsign option. This requires your CA directory structure to be prepared first, which you will have to do anyway if you want to set up your own CA. You can find an tutorial on that here, for example. Submitting the request can be done as follows:

ca -selfsign -keyfile dist/ca_key.pem -in ca_csr.pem -out dist/ca_cert.pem \
    -outdir root-ca/cert -config openssl/ca.cnf

The setting default_days in the my_ca section of your configuration file will be applied, as it did in my case:

$ openssl x509 -enddate -noout -in ./dist/ca_cert.pem
notAfter=Aug 23 15:21:17 2028 GMT

Note that these commands all depend on the contents of your configuration files. You might have to play around with them to make them work for you, but this gives you the overall approach.