Setting validity dates

Viktor Dukhovni openssl-users at dukhovni.org
Thu May 11 19:14:46 UTC 2023


On Thu, May 11, 2023 at 03:09:31PM -0400, Robert Moskowitz wrote:

> > You can bootstrap the CA from a self-signed certificate with the same
> > issuer/subject name and key that is then replaced.
> >
> Oh!!!!
> 
> I did not get, at first what you said.
> 
> SNEAKY!
> 
> Make a 'regular' root self-signed.
> 
> use this to sign a cert that I control, that is basically self-signed.
> 
> That becomes the REAL CA root cert.
> 
> Oh, neat hack.

I used to this routinely at a former $work, when building root CAs for
internal issuance.  Indeed first generate a CA key + temp self-signed
cert, then ca(1) to issue a replacement self-signed cert, but with ca(1)
handling all the bells and whistles to decorate it additional properties
that req(1) does not directly support.

I don't have the scripts for that handy (they belong to the employer
after all), but they're simple enough.

-- 
    Viktor.



More information about the openssl-users mailing list