Setting validity dates

Hubert Kario hkario at redhat.com
Mon May 15 13:50:20 UTC 2023


On Thursday, 11 May 2023 21:14:46 CEST, Viktor Dukhovni wrote:
> On Thu, May 11, 2023 at 03:09:31PM -0400, Robert Moskowitz wrote:
>
>>> ...
>> Oh!!!!
>> 
>> I did not get, at first what you said.
>> 
>> SNEAKY!
>> 
>> Make a 'regular' root self-signed.
>> 
>> use this to sign a cert that I control, that is basically self-signed. ...
>
> I used to this routinely at a former $work, when building root CAs for
> internal issuance.  Indeed first generate a CA key + temp self-signed
> cert, then ca(1) to issue a replacement self-signed cert, but with ca(1)
> handling all the bells and whistles to decorate it additional properties
> that req(1) does not directly support.
>
> I don't have the scripts for that handy (they belong to the employer
> after all), but they're simple enough.

I do have public scripts that do that:
https://github.com/redhat-qe-security/certgen/tree/master/certgen

Though note that this library is aimed at creating test certificates, not
production certificates, so it doesn't work with CSR files but rather
expects the CA to generate the keys and certificates.
-- 
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic



More information about the openssl-users mailing list