Creating an indefinitely-valid self-signed x509 certificate
jeremy at saklad5.com
Tue Dec 27 01:46:29 UTC 2022
-----BEGIN PGP SIGNED MESSAGE-----
I find myself regularly creating self-signed certificates that are verified out-of-band, through DANE, pinning the file, or other means. Since the out-of-band verification determines validity, there is no reason to set an expiration date on the certificate itself.
Section 22.214.171.124 of RFC 5280 states that an x509 certificate without a well-defined expiration date SHOULD have a notAfter value of 99991231235959Z. However, I see no practical way to achieve this using the openssl command-line options. In fact, I see no way to set an explicit expiration date at all. Am I missing something?
The following is the sort of command I am using (with OpenSSL 3.0.7) to produce self-signed certificates. How could I set an absolute time like the RFC recommends?
openssl req -x509 -key host.example.key -addext keyUsage=digitalSignature -addext extendedKeyUsage=serverAuth -subj "/CN=host.example/" -out ~/host.example.crt
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the openssl-users