Setting validity dates

Viktor Dukhovni openssl-users at dukhovni.org
Thu May 11 15:27:03 UTC 2023


On Thu, May 11, 2023 at 10:34:22AM -0400, Robert Moskowitz wrote:

> [ CA_default ]

Support for that is a feature of the ca(1) application, which you're not
using.

> 
> I have
> 
> default_startdate = 230501000000Z
> default_enddate   = 240601000000Z

These will be ignored.

> My openssl command is:
> 
> openssl req -config $dir/openssl-root.cnf\
>       -set_serial 0x$(openssl rand -hex $sn)\
>       -keyform $format -outform $format\
>       -key $dir/private/ca.key.$format -subj "$DN"\
>       -new -x509 -extensions v3_ca\
>       -out $dir/certs/ca.cert.$format

Because you're suing req(1) not ca(1).  I don't see much evidence of
support for custom start dates in the req(1) or x509(1) utilities.  with
a small amount of effort, you could use Python to sign a certificate
with precisely specified start/end dates.  Or figure out how to use
ca(1).

Support for explicit start/end dates in req(1)/x509(1) would make a
reasonable feature request for the OpenSSL project.  Please open a
github issue.

A patch to add the options would be a rather modest amount of code.

-- 
    Viktor.


More information about the openssl-users mailing list