Creating an indefinitely-valid self-signed x509 certificate

Viktor Dukhovni openssl-users at
Tue Dec 27 01:55:19 UTC 2022

On Mon, Dec 26, 2022 at 07:46:29PM -0600, Jeremy Saklad via openssl-users wrote:

> I find myself regularly creating self-signed certificates that are
> verified out-of-band, through DANE, pinning the file, or other means.
> Since the out-of-band verification determines validity, there is no
> reason to set an expiration date on the certificate itself.
> Section of RFC 5280 states that an x509 certificate without a
> well-defined expiration date SHOULD have a notAfter value of
> 99991231235959Z. However, I see no practical way to achieve this using
> the openssl command-line options. In fact, I see no way to set an
> explicit expiration date at all. Am I missing something?
> The following is the sort of command I am using (with OpenSSL 3.0.7)
> to produce self-signed certificates. How could I set an absolute time
> like the RFC recommends?

The "-days" option of "openssl req -new -x509" lets you set an
expiration date far into the future.  This is used in, e.g.:

I frankly wouldn't bother with the year 9999 date, it is more likely to
run into issues than something that is say good for 100 years.  If RSA
is still in use by then, I'd be surprised (if I were still alive, so
perhaps more suprised by that, than by RSA being in use, so see you in
2122! :-) Happy New Year!


More information about the openssl-users mailing list