Perform the following:
o Create a new directory, and put the attached openssl.cnf in it
o Look over openssl.cnf to convince yourself I'm not trying to hack you.
o openssl req -new -config openssl.cnf -x509 -keyout cakey.pem -out cacert.pem -batch # Create a CA cert/key, use any passphrase you like
o openssl req -new -config openssl.cnf -keyout key.pem -out req.pem -batch # Create a cert request/key
o touch index.txt # Start a blank db
o echo "01" > serial # Start serial number at 1
o openssl ca -config openssl.cnf -enddate 311231235959 -cert cacert.pem -keyfile cakey.pem -out cert.pem -infiles req.pem key.pem
You'll see a line that says:
Certificate is to be certified until Dec 31 23:59:59 2031 (365 days)
Dec 31, 2031 is not 365 days from now. The days is apparently taken from openssl.cnf and is not updated when "enddate" is used, resulting in the conflicting information.
Now try this:
o openssl ca -config openssl.cnf -days 20000 -cert cacert.pem -keyfile cakey.pem -out cert.pem -infiles req.pem key.pem
The "Not After" date is in 1922, and you see a "Certificate is to be certified until Bad time value (20000 days)", which is reasonable behavior considering an overflow occurred. A hard error would be better.
Now this:
o openssl ca -config openssl.cnf -days 15000 -cert cacert.pem -keyfile cakey.pem -out cert.pem -infiles req.pem key.pem
The "Not After" date is in 1908, but you get a "Certificate is to be certified until Aug 11 03:12:08 2019 GMT (15000 days)" which conflicts with the "Not After" date.
These bugs all appear to be mostly cosmetic, but they leave me wondering what the latest valid expiration date is and whether the generated certificate is actually valid.
FYI, I'm working on being my own CA and generating certs to go in some embedded systems, so long expirations are A Good Thing for me. Is there any way to make certs that never expire?
Thanks!
[ ca ] default_ca = CA_default # The default ca section [ CA_default ]
certs = ./ # Where the issued certs are kept crl_dir = ./ # Where the issued crl are kept database = ./index.txt # database index file. new_certs_dir = ./ # default place for new certs. certificate = ./cacert.pem # The CA certificate serial = ./serial # The current serial number crl = ./crl.pem # The current CRL private_key = ./cakey.pem # The private key RANDFILE = ./rand # private random number file name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = md5 # which md to use. preserve = no # keep passed DN ordering policy = policy_anything [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = optional emailAddress = optional #################################################################### [ req ] default_bits = 384 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = State localityName = Locality Name (eg, city) localityName_default = City 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Organization organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, your name or your server\'s hostname) commonName_default = Common Name commonName_max = 64 emailAddress = Email Address emailAddress_default = none emailAddress_max = 64 [ req_attributes ] [ usr_cert ] basicConstraints=CA:FALSE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints = CA:true [ crl_ext ] authorityKeyIdentifier=keyid:always,issuer:always
