Hi list,
I'm currently setting up a small PKI using Bash scripts calling OpenSSL and
Apache. However, whatever days of validity I put on the command line, it
remains to it's default, 365 days.
- On the CSR generation side, i'm using the following command :
$openssl req -config $dossier/$config -new -newkey rsa:4096 -subj
"$subject" -nodes -keyout $dossier/test/$filename.key -out
$dossier/test/$filename.csr
In the OpenSSL conf used on this side :
default_days = 3650
- On the CS validation side, I use the following command :
$openssl ca -config $dossier/$config -policy policy_match -out
$dossier/subca/$filename.crt -infiles $dossier/requests/$filename.csr -days
3650
Still, I get the following output when OpenSSL asks me if I want to confirm
the certificate validation :
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 28 14:53:37 2011 GMT
Not After : Jun 27 14:53:37 2012 GMT
Subject:
countryName = ***
stateOrProvinceName = ***
organizationName = ***
organizationalUnitName = ***
commonName = ***
emailAddress = ***
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
Object Signing
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
DA:55:28:C2:BF:03:F4:C9:2F:E5:00:13:F3:8B:0D:39:72:61:6B:EA
X509v3 Authority Key Identifier:
keyid:CF:01:8E:EF:EF:65:44:08:77:61:69:96:73:CA:83:8F:56:6A:55:E5
Certificate is to be certified until Jun 27 14:53:37 2012 GMT (365 days)
And I just can't seem to understand why. Any ideas guys ?
Eric
