Re: Creating an indefinitely-valid self-signed x509 certificate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



If all else fails, this should be possible in Perl with Crypt::Perl.

-FG

> On Dec 26, 2022, at 20:46, Jeremy Saklad via openssl-users <openssl-users@xxxxxxxxxxx> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> I find myself regularly creating self-signed certificates that are verified out-of-band, through DANE, pinning the file, or other means. Since the out-of-band verification determines validity, there is no reason to set an expiration date on the certificate itself.
> 
> Section 4.1.2.5 of RFC 5280 states that an x509 certificate without a well-defined expiration date SHOULD have a notAfter value of 99991231235959Z. However, I see no practical way to achieve this using the openssl command-line options. In fact, I see no way to set an explicit expiration date at all. Am I missing something?
> 
> The following is the sort of command I am using (with OpenSSL 3.0.7) to produce self-signed certificates. How could I set an absolute time like the RFC recommends?
> 
> openssl req -x509 -key host.example.key -addext keyUsage=digitalSignature -addext extendedKeyUsage=serverAuth -subj "/CN=host.example/" -out ~/host.example.crt
> -----BEGIN PGP SIGNATURE-----
> 
> iMwEARYKAHQWIQST9JhYTT2FVNyHHwCUsC6j0LZIGwUCY6pKc1YYJ2h0dHBzOi8v
> b3BlbnBncGtleS5zYWtsYWQ1LmNvbS9maW5nZXJwcmludC9GRERGQzRBNEE2N0Qw
> NEVGRkVCOEU0MjQ5Q0EyMTQ5NTgzRURCRjg0JwAKCRCUsC6j0LZIGy30AQCVvn0t
> 9oe111vtIPI8AxWOc0xfIuWA8TMKrhzJEaeGYwD/c0qemFs1Ou5s4nB/gdhBIfWm
> vFNQa2Pz3zhm3JVwyQk=
> =fEvX
> -----END PGP SIGNATURE-----







[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux