All,
I've troubled with using openssl on one of our embedded products.
Maybe I am using it wrong, but our self signed certificate generated
with the following command: `openssl req -newkey rsa:1024 -x509
-keyout tmp.key -out tmp.crt -nodes` gives me the default date of
validity to 30 days, or more if I specify '-days'. What really seems
odd to me that I can't change the start date in any way (notBefore
attribute). However, it appears to be a problem when such product get
into customers hands and they set the date differently, or the date on
the system isn't set and is using the factory default time. When
generated certificates gets transfered from the product into hands of
a host computer, it need to be sync'ed with the host computers notion
of time otherwise I'll get a verification failure of the certificate.
Regardless, I understand that you can change the validity of a
certificate somehow (post-generation?), but I really like to be able
to set the notBefore and notAfter attributes. The 'req' command
doesn't allow for using the switches -startdate or -enddate as the
'ca' comand, and the 'x509' command -- In my opinion it is less
user-friendly (or someone have deliberately done so for other reasons,
security?). I don't mean to start a long thread regarding this issue,
but I have a patch to 0.9.8e that allows a user to specify the -start
and -enddate to the openssl application.
I've attached the patch as below.
------------------------------------------------------------------------------------
==== //tps/openssl/0.9.8e/mainline/src/apps/req.c#1 -
/work/enaess/mainline/tps/openssl-src/0.9.8e/mainline/src/apps/req.c
====
--- /tmp/tmp.3569.0 2007-11-08 15:42:36.000000000 -0800
+++ /work/enaess/mainline/tps/openssl-src/0.9.8e/mainline/src/apps/req.c
2007-11-08 15:23:02.000000000 -0800
@@ -179,6 +179,7 @@
int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM;
int nodes=0,kludge=0,newhdr=0,subject=0,pubkey=0;
char *infile,*outfile,*prog,*keyfile=NULL,*template=NULL,*keyout=NULL;
+ char *startdate=NULL,*enddate=NULL;
#ifndef OPENSSL_NO_ENGINE
char *engine=NULL;
#endif
@@ -461,6 +462,16 @@
days= atoi(*(++argv));
if (days == 0) days=30;
}
+ else if (strcmp(*argv,"-startdate") == 0)
+ {
+ if (--argc < 1) goto bad;
+ startdate = *(++argv);
+ }
+ else if (strcmp(*argv,"-enddate") == 0)
+ {
+ if (--argc < 1) goto bad;
+ enddate = *(++argv);
+ }
else if (strcmp(*argv,"-set_serial") == 0)
{
if (--argc < 1) goto bad;
@@ -530,6 +541,8 @@
BIO_printf(bio_err," -new new request.\n");
BIO_printf(bio_err," -batch do not ask
anything during request generation\n");
BIO_printf(bio_err," -x509 output a x509
structure instead of a cert. req.\n");
+ BIO_printf(bio_err," -startdate 'YYMMDDHHMMSSZ'
certificate validity notBefore.\n");
+ BIO_printf(bio_err," -enddate 'YYMMDDHHMMSSZ'
certificate validity notAfter (overrides -days).\n");
BIO_printf(bio_err," -days number of days a
certificate generated by -x509 is valid for.\n");
BIO_printf(bio_err," -set_serial serial number to
use for a certificate generated by -x509.\n");
BIO_printf(bio_err," -newhdr output \"NEW\" in
the header lines\n");
@@ -943,10 +956,24 @@
X509_get_serialNumber(x509ss)))
goto end;
}
-
- if (!X509_set_issuer_name(x509ss,
X509_REQ_get_subject_name(req))) goto end;
+ if (startdate == NULL)
+ {
if
(!X509_gmtime_adj(X509_get_notBefore(x509ss),0)) goto end;
+ }
+ else
+ {
+
ASN1_UTCTIME_set_string(X509_get_notBefore(x509ss),startdate);
+ }
+ if (enddate == NULL)
+ {
if
(!X509_gmtime_adj(X509_get_notAfter(x509ss), (long)60*60*24*days))
goto end;
+ }
+ else
+ {
+
ASN1_UTCTIME_set_string(X509_get_notAfter(x509ss),enddate);
+ }
+
+ if (!X509_set_issuer_name(x509ss,
X509_REQ_get_subject_name(req))) goto end;
if (!X509_set_subject_name(x509ss,
X509_REQ_get_subject_name(req))) goto end;
tmppkey = X509_REQ_get_pubkey(req);
if (!tmppkey ||
!X509_set_pubkey(x509ss,tmppkey)) goto end;
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
