Xeno Campanoli wrote:
>
> Jean-Marc Desperrier wrote:
> >
> > Xeno Campanoli wrote:
> > >> I want to explicitly set the Not Before and Not After dates on my self
> > >> signed certificate, for testing purposes. My only example for making
> > >> the self signed certificate with the OpenSSL applications, however, is
> > >> with the openssl req facility, which only allows you to specify days,
> > >> from what I can tell. Does anyone out there know a method for making
> > >> such an explicitly dated self signed certificate? Please do tell.
> >
> > I know one.
> > Generate a self signed certificate with -req.
Okay, I seem to have done this after all. Among other things I was
getting a failure because the times between my server and client were
not in sync. Anyway, my missing step was mostly not reading your email
closely enough for the switches you recommended, -ss_cert and -cert, as
opposed to -out which I was still trying to use. My apologies. I also
was a bit confused until I found the resulting certificate apparently
couldn't be redirected explicitly, and please correct me if I'm wrong
about this, but rather I ended up extracting it from the 01.pem file
that ends up in the newcerts directory. Perhaps there is a config file
item on this I haven't seen, but at any rate I couldn't do it with any
command line switch.
Any feedback suggesting ways to further clean up this process is
shamelessly pleaded for. Thanks for the help thus far though, as this
makes my test system a lot better.
Sincerely, Xeno
>
> I've only generated self signed certificates with openssl req -x509. I
> can't seem to find the combination that you might mean with openssl
> x509. When I generate a self signed certificate with openssl req -x509
> and then try to use it as a request, I get:
>
> Error reading certificate request in {filespec} when I try to re-sign
> it.
>
> I may be leaving something out. Can you give me some examples? My
> config files are okay I think, as I generate them dynamically for the
> circumstance, and they are working elsewhere.
> >
> > then use openssl ca by telling it to use for the ca certificate the
> > self-signed certificate you generated ( -cert ss.pem ) and for the request
> > the same self-signed certificate (-ss_cert ss.pem).
> >
> > This gives you access to the options -startdate -enddate in the call to
> > openssl ca to set the start/end date of the certificate.
> > You will have to play with openssl.cnf to set the correct parameters for this
> > micro CA to work.
> >
> > > Xeno Campanoli wrote:
> > > By the way, I just tried setting -days 0 for opensslreq to try and get a
> > > certificate with no valid duration, and this gives a default of 30
> > > days. Didn't anybody think of test data when they wrote this stuff?
> >
> > So what ? For openssl setting 0 is equivalent to not setting this option, and
> > you will get the default value instead.
> >
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
>
> --
> ===: [EMAIL PROTECTED] :========================================
> Collecting pledges for the Courage Classic Bicycle ride. It funds two
> children's charities: www.courageclassic.com. I have 29 contributers
> so far, for $465.75 ($399.75 from Aventail folks), presuming I finish.
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
--
===: [EMAIL PROTECTED] :========================================
Collecting pledges for the Courage Classic Bicycle ride. It funds two
children's charities: www.courageclassic.com. I have 29 contributers
so far, for $465.75 ($399.75 from Aventail folks), presuming I finish.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
