So for now, I would have to break this into 1st using req to make a CSR,
then feeding that somehow into ca to actually make the cert. I do it in
this two-step for sub certs (intermediate CA and EE certs). Don't know
quite how to get this working for the root self-signed cert to get the
tree started.
On 5/11/23 11:27, Viktor Dukhovni wrote:
On Thu, May 11, 2023 at 10:34:22AM -0400, Robert Moskowitz wrote:
[ CA_default ]
Support for that is a feature of the ca(1) application, which you're not
using.
I have
default_startdate = 230501000000Z
default_enddate = 240601000000Z
These will be ignored.
My openssl command is:
openssl req -config $dir/openssl-root.cnf\
-set_serial 0x$(openssl rand -hex $sn)\
-keyform $format -outform $format\
-key $dir/private/ca.key.$format -subj "$DN"\
-new -x509 -extensions v3_ca\
-out $dir/certs/ca.cert.$format
Because you're suing req(1) not ca(1). I don't see much evidence of
support for custom start dates in the req(1) or x509(1) utilities. with
a small amount of effort, you could use Python to sign a certificate
with precisely specified start/end dates. Or figure out how to use
ca(1).
Support for explicit start/end dates in req(1)/x509(1) would make a
reasonable feature request for the OpenSSL project. Please open a
github issue.
A patch to add the options would be a rather modest amount of code.
