Hmm, I am not sure if I explained my dilemma correctly. Let me jump onto CLI, maybe it will make more sense that way:
#create a new CA cert openssl req -x509 -newkey rsa -keyout ca_key.pam -keyform PEM -out ca_cert.pem -outform PEM -config <path_to_config> #create a new server cert openssl req -newkey rsa -keyout serv_key.pam -keyform PEM -out serv_cert_tmp.pem -outform PEM -config <path_to_config2> #sign server certificate openssl ca -in serv_cert_tmp.pem -out serv_cert.pem -cert ca_cert.pem -keyfile ca_key.pem -config <path_to_config> after these steps I am left with ca_cert.pem and serv_cert.pem of which ca_cert expires after 30 days (because a problem I described) ----------SNIP OF THE CONFIG-------------------- prompt = no [ ca ] default_ca = infobloxca # The default ca section [ infobloxca ] default_crl_days= 30 # how long before next CRL default_md = md5 # which md to use. preserve = no # keep passed DN ordering subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always default_days = 365 x509_extensions = v3_ca policy = policy_anything [ req ] prompt = no default_keyfile = rsa_key.pem distinguished_name = req_distinguished_name x509_extensions = v3_ca string_mask = nombstr default_bits = 2048 default_days = 365 <--------------- this one is never applied.... >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] Behalf Of Joseph Bruni >Sent: Wednesday, September 08, 2004 4:33 PM >To: [EMAIL PROTECTED] >Subject: Re: setting CA certificate expiration to more than 30 days >through conf file > > >The default_days in the REQ section doesn't do anything since a >certificate request doesn't expire. The default_days is used in the CA >section when making a certificate from a request. > > >On Sep 8, 2004, at 5:29 PM, IB wrote: > >> I'd like to create an own CA certificate that will last for more than >> 30 >> days. >> I tried to add the default_days attribute into [ req ] section but this >> attribute >> never gets applied. However, if I set "-days" through a CLI (command >> line) >> everything >> work fine. >> >> Any thoughts? hints? >> >> >> >> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List [EMAIL PROTECTED] >> Automated List Manager [EMAIL PROTECTED] >> > >______________________________________________________________________ >OpenSSL Project http://www.openssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
