I am creating a small test certification authority with my own self-signed certificate using the following setup (using OpenSSL 1.0.1 on March 14, 2012). The problem is that if I look at the start date of my own CA certificate, it will create it for tomorrow (and I would like to use it today).
> openssl x509 -noout -startdate -enddate -in ~/my_little_ca/cacert.pem notBefore=Jan 2 16:05:52 2015 GMT notAfter=Feb 1 16:05:52 2015 GMT
So, I dug up a bit because I had the same issue with certificates that I signed using CA. For these certificates, I can set the start date using --startdate , but I do not see a similar parameter for the root certificate of the certificate authority. I tried using default_startdate in the openssl configuration file used to create the CA, but for some reason is this ignored for some reason?
I create a CA as follows, which is mainly used almost verbatim from "Network Security with OpenSSL" by Pravir Chandra et al., As shown below.
The req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -verbose command used is req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -verbose , but I would like to know how to set startdate in this particular case when creating the certificate of the root certification authority and private key? . forward.
The complete script for creating a CA is below:
MYDIR=$(pwd -P) BASEDIR=~/enigma_ca mkdir -pv $BASEDIR cd $BASEDIR mkdir -pv private chmod g-rwx,o-rwx private mkdir -pv certs touch index.txt echo '01' > serial DEFAULT_STARTDATE=$(date +'%y%m01000000Z') cat <<EOF >openssl.cnf [ ca ] default_ca = my_test_ca [ my_test_ca ] certificate = $BASEDIR/cacert.pem database = $BASEDIR/index.txt new_certs_dir = $BASEDIR/certs private_key = $BASEDIR/private/cakey.pem serial = $BASEDIR/serial default_crl_days = 7 default_days = 356 default_md = md5 default_startdate = $DEFAULT_STARTDATE policy = my_test_ca_policy x509_extensions = certificate_extensions [ my_test_ca_policy ] commonName = supplied stateOrProvinceName = supplied countryName = supplied emailAddress = supplied organizationName = supplied organizationalUnitName = optional [ certificate_extensions ] basicConstraints = CA:false [ req ] default_bits = 2048 default_keyfile = $BASEDIR/private/cakey.pem default_md = md5 default_startdate = $DEFAULT_STARTDATE default_days = 356 prompt = no distinguished_name = root_ca_distinguished_name x509_extensions = root_ca_extensions [ root_ca_distinguished_name ] commonName = My Mini CA stateOrProvinceName = Hampshire countryName = UK emailAddress = ca@myminica.com organizationName = My Mini CA Ltd [ root_ca_extensions ] basicConstraints = CA:true EOF OPENSSL_CONF=$BASEDIR/openssl.cnf export OPENSSL_CONF # Now generate self-signed certificate and generate key pair to go with it... expect - <<EOF >> $MYDIR/ca_debug.txt puts [concat "OPENSSL_CONF =" \$::env(OPENSSL_CONF)] spawn openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -verbose expect "PEM pass phrase:" send "junk\r" expect "PEM pass phrase:" send "junk\r" expect eof EOF
source share