Setting validity dates

Robert Moskowitz rgm at htt-consult.com
Thu May 11 19:09:31 UTC 2023



On 5/11/23 12:36, Viktor Dukhovni wrote:
> On Thu, May 11, 2023 at 12:06:24PM -0400, Robert Moskowitz wrote:
>> So for now, I would have to break this into 1st using req to make a CSR,
>> then feeding that somehow into ca to actually make the cert.  I do it in
>> this two-step for sub certs (intermediate CA and EE certs).  Don't know
>> quite how to get this working for the root self-signed cert to get the
>> tree started.
> The CA can issue its first certificate as  self-signed certificate for
> its own key, and then that becomes the actual CA certificate for issuing
> the rest.
>
> You can bootstrap the CA from a self-signed certificate with the same
> issuer/subject name and key that is then replaced.
>
Oh!!!!

I did not get, at first what you said.

SNEAKY!

Make a 'regular' root self-signed.

use this to sign a cert that I control, that is basically self-signed.

That becomes the REAL CA root cert.

Oh, neat hack.




More information about the openssl-users mailing list