On Thu, May 11, 2023 at 10:34:22AM -0400, Robert Moskowitz wrote:
> [ CA_default ]
Support for that is a feature of the ca(1) application, which you're not
using.
>
> I have
>
> default_startdate = 230501000000Z
> default_enddate = 240601000000Z
These will be ignored.
> My openssl command is:
>
> openssl req -config $dir/openssl-root.cnf\
> -set_serial 0x$(openssl rand -hex $sn)\
> -keyform $format -outform $format\
> -key $dir/private/ca.key.$format -subj "$DN"\
> -new -x509 -extensions v3_ca\
> -out $dir/certs/ca.cert.$format
Because you're suing req(1) not ca(1). I don't see much evidence of
support for custom start dates in the req(1) or x509(1) utilities. with
a small amount of effort, you could use Python to sign a certificate
with precisely specified start/end dates. Or figure out how to use
ca(1).
Support for explicit start/end dates in req(1)/x509(1) would make a
reasonable feature request for the OpenSSL project. Please open a
github issue.
A patch to add the options would be a rather modest amount of code.
--
Viktor.
