Setting validity dates

Thu May 11 16:06:24 UTC 2023

So for now, I would have to break this into 1st using req to make a CSR, 
then feeding that somehow into ca to actually make the cert.  I do it in 
this two-step for sub certs (intermediate CA and EE certs).  Don't know 
quite how to get this working for the root self-signed cert to get the 
tree started.

On 5/11/23 11:27, Viktor Dukhovni wrote:
> On Thu, May 11, 2023 at 10:34:22AM -0400, Robert Moskowitz wrote:
>
>> [ CA_default ]
> Support for that is a feature of the ca(1) application, which you're not
> using.
>
>> I have
>>
>> default_startdate = 230501000000Z
>> default_enddate   = 240601000000Z
> These will be ignored.
>
>> My openssl command is:
>>
>> openssl req -config $dir/openssl-root.cnf\
>>        -set_serial 0x$(openssl rand -hex $sn)\
>>        -keyform $format -outform $format\
>>        -key $dir/private/ca.key.$format -subj "$DN"\
>>        -new -x509 -extensions v3_ca\
>>        -out $dir/certs/ca.cert.$format
> Because you're suing req(1) not ca(1).  I don't see much evidence of
> support for custom start dates in the req(1) or x509(1) utilities.  with
> a small amount of effort, you could use Python to sign a certificate
> with precisely specified start/end dates.  Or figure out how to use
> ca(1).
>
> Support for explicit start/end dates in req(1)/x509(1) would make a
> reasonable feature request for the OpenSSL project.  Please open a
> github issue.
>
> A patch to add the options would be a rather modest amount of code.
>