Am Sat, 21 Feb 2009 00:07:28 +0100 schrieb Oliver Martin: > I'm trying to create a CA cert with explicit notBefore and notAfter > dates. I've tried to follow the advice given in an old mailing list > post [1], but haven't been successful so far.
I've found a solution for that part: openssl genrsa 2048 >ca/private/ca-key.key openssl req -new -nodes -key ca/private/ca-key.key -out ca/ca-cert.csr \ -config ca/openssl.cnf openssl ca -batch -selfsign -in ca/ca-cert.csr -config ca/openssl.cnf \ -keyfile ca/private/ca-key.key -out ca/ca-cert.cert -extensions v3_ca This results in a proper self-signed cert with startdate and enddate from openssl.cnf or from the command line. > On a somewhat related note, is it possible to use GeneralizedTime > instead of UTCTime for notBefore and notAfter with OpenSSL, as > explained here [3]? My ultimate goal is a certificate that remains > valid when 32-bit time_t rolls over in 2038, so I need a notBefore > somewhere in 1901. For this part, however, I've only found a horribly hackish workaround: 1) set system time to one second before wraparound 2) sleep 1 3) sign a pre-existing CSR with no explicit startdate Is there any easier way to use GeneralizedTime other than writing my own program using the OpenSSL API to do it? Cheers, Oliver
signature.asc
Description: PGP signature
