I have a bash script that generates a
self-signed
certificate and works perfectly fine:#! /bin/bash # Generate self signed root CA cert openssl req -nodes -x509 -days 358000 -newkey rsa:2048 -keyout ca.key -out ca.crt -subj "/C=IR/ST=TEH/L=Torento/O=CTO/OU=root/CN=es.example.com/emailAddress=info@example.com" # Generate server cert to be signed openssl req -nodes -newkey rsa:2048 -days 358000 -keyout server.key -out server.csr -subj "/C=IR/ST=TEH/L=Torento/O=CTO/OU=server/CN=es.example.com/emailAddress=info@example.com" # Sign the server cert openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt # Create server PEM file cat server.key server.crt > server.pem # Generate client cert to be signed openssl req -nodes -newkey rsa:2048 -days 358000 -keyout client.key -out client.csr -subj "/C=IR/ST=TEH/L=Torento/O=CTO/OU=client/CN=es.example.com/emailAddress=info@example.com" # Sign the client cert openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl -out client.crt # Create client PEM file cat client.key client.crt > client.pem
When I check the expiration time of the generated
client.pem
, it shows expiration time at 10th of Aug.:$ openssl x509 -enddate -noout -in client.pem notAfter=Aug 10 12:32:07 2018 GMT
What is the problem with expiration date?
Answer
The validity is set with openssl x509
and not with openssl req
.
It you put the -days
option with x509
command, it will work.
You get the 30/08 because there isn’t a -days
option that override the default certificate validity of 30 days, as mentioned in x509
the man page:
-days arg
specifies the number of days to make a certificate valid for. The default is 30 days.
Side note, generating certificate with 358000 days (980 years!) validity is too long if you want reasonable security.
Attribution
Source : Link , Question Author : Alireza , Answer Author : oliv