On Mon, Dec 26, 2022 at 07:46:29PM -0600, Jeremy Saklad via openssl-users wrote: > I find myself regularly creating self-signed certificates that are > verified out-of-band, through DANE, pinning the file, or other means. > Since the out-of-band verification determines validity, there is no > reason to set an expiration date on the certificate itself. > > Section 4.1.2.5 of RFC 5280 states that an x509 certificate without a > well-defined expiration date SHOULD have a notAfter value of > 99991231235959Z. However, I see no practical way to achieve this using > the openssl command-line options. In fact, I see no way to set an > explicit expiration date at all. Am I missing something? > > The following is the sort of command I am using (with OpenSSL 3.0.7) > to produce self-signed certificates. How could I set an absolute time > like the RFC recommends? The "-days" option of "openssl req -new -x509" lets you set an expiration date far into the future. This is used in, e.g.: https://raw.githubusercontent.com/openssl/openssl/master/test/certs/mkcert.sh I frankly wouldn't bother with the year 9999 date, it is more likely to run into issues than something that is say good for 100 years. If RSA is still in use by then, I'd be surprised (if I were still alive, so perhaps more suprised by that, than by RSA being in use, so see you in 2122! :-) Happy New Year! -- Viktor.