I am trying to create CA signed End Entity certificate using openssl commands as shown below, in Linux:
# openssl genrsa -des3 -out clientkey.pem 2048
# openssl req -new -key clientkey.pem -out clientcert.csr
# cp clientkey.pem clientkey.pem.org
# openssl rsa -in clientkey.pem.org -out clientkey.pem
# openssl x509 -req -days 1 -in clientcert.csr -out clientcert.pem -CA cacert.pem -CAkey cakey.pem -CAcreateserial
Is it possible to specify the expiry time in hours, instead of days? I need to generate certificates with, say 1 hour expiry time, for some testing.
Openssl command seems to support some options to specify startdate and enddate, but I am not able to figure out how to use that. ( I am assuming enddate might support specifying date, and time).
#openssl x509 -req -startdate 120814050000Z -enddate 120814060000Z -in clientcert.csr -out clientcert.pem -CA cacert.pem -CAkey cakey.pem -CAcreateserial
unknown option 120814050000Z
usage: x509 args
.
.
-startdate - notBefore field
-enddate - notAfter field
.
.
-days arg - How long till expiry of a signed certificate - def 30 days
Or here is another way that I have found to work
Say I want my certificate to expire in 10 mins as a test
The current date is feb 17th
The current time is 4:40pmFirst I set my system date to -1 day: Feb 16th
I set my system clock to +10 mins: 4:50pm
I create my cert using openssl x509 to expire in 1 day which really means expire on today Feb 17th
openssl x509 -req -days 1 -in clientcert.csr -signkey cert.key -out ssl.crt
I then reset my system clock and time to the actual date and time and voila you have a certificate that is going to expire in 10 mins!
Obviously not the real way to do things but nice and easy for creating self signed certificates for dev use.