23

I have a bash script that generates a self-signed certificate and works perfectly fine:

#! /bin/bash

# Generate self signed root CA cert
openssl req -nodes -x509 -days 358000 -newkey rsa:2048 -keyout ca.key -out ca.crt -subj "/C=IR/ST=TEH/L=Torento/O=CTO/OU=root/CN=es.example.com/emailAddress=info@example.com"

# Generate server cert to be signed
openssl req -nodes -newkey rsa:2048 -days 358000 -keyout server.key -out server.csr -subj "/C=IR/ST=TEH/L=Torento/O=CTO/OU=server/CN=es.example.com/emailAddress=info@example.com"

# Sign the server cert
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt

# Create server PEM file
cat server.key server.crt > server.pem


# Generate client cert to be signed
openssl req -nodes -newkey rsa:2048 -days 358000 -keyout client.key -out client.csr -subj "/C=IR/ST=TEH/L=Torento/O=CTO/OU=client/CN=es.example.com/emailAddress=info@example.com"

# Sign the client cert
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl -out client.crt

# Create client PEM file
cat client.key client.crt > client.pem

When I check the expiration time of the generated client.pem, it shows expiration time at 10th of Aug.:

$ openssl x509 -enddate -noout -in client.pem
notAfter=Aug 10 12:32:07 2018 GMT

What is the problem with expiration date?

Alireza
  • 563
  • 4
  • 8
  • 27

2 Answers2

30

The validity is set with openssl x509 and not with openssl req. It you put the -days option with x509 command, it will work.

You get the 30/08 because there isn't a -days option that override the default certificate validity of 30 days, as mentioned in x509 the man page:

-days arg
specifies the number of days to make a certificate valid for. The default is 30 days.

Side note, generating certificate with 358000 days (980 years!) validity is too long if you want reasonable security.

oliv
  • 496
  • 4
  • 4
  • +1 Oh I see! I didn't know `-days` belongs to x509. It is now set to the desired date. Thanks. – Alireza Jul 11 '18 at 13:18
  • I made the `-days` option work from an `openssl req` command when I did it from the command line, but it would not work when I specified the number of days as a variable in a shell script. – Anthony Rutledge Sep 05 '19 at 21:23
22

The validity period of a certificate is set when that certificate is generated.

  • openssl req by itself generates a certificate signing request (CSR). -days specified here will be ignored.

  • openssl x509 issues a certificate from a CSR. This is where -days should be specified.

But:

  • openssl req -x509 combines req and x509 into one; it generates a CSR and signs it, issuing a certificate in one go. That's why req supports the -days flag, as it passes it internally to the x509 command.
rustyx
  • 1,506
  • 3
  • 19
  • 28