Hello, I'm trying to create a CA cert with explicit notBefore and notAfter dates. I've tried to follow the advice given in an old mailing list post [1], but haven't been successful so far.
The commands I'm using are these: openssl req -nodes -config ca/openssl.cnf -days 1825 -x509 -newkey \ rsa:2048 -out ca/ca-cert-temp.cert -outform PEM openssl ca -batch -cert ca/ca-cert-temp.cert -ss_cert \ ca/ca-cert-temp.cert -keyfile ca/private/ca-key.key -config \ ca/openssl.cnf -out ca/ca-cert.cert -extensions v3_ca -notext (I've uploaded my openssl.cnf file here [2]) When I sign other certs with ca-cert.cert, openssl verify fails to recognize ca-cert.cert as self-signed and instead prints "error 2 at 1 depth lookup:unable to get issuer certificate". If I sign certs with ca-cert-temp.cert, verify recognizes the CA as self-signed and prints OK, but obviously I can't set notBefore and notAfter. On a somewhat related note, is it possible to use GeneralizedTime instead of UTCTime for notBefore and notAfter with OpenSSL, as explained here [3]? My ultimate goal is a certificate that remains valid when 32-bit time_t rolls over in 2038, so I need a notBefore somewhere in 1901. Regards, Oliver [1] http://marc.info/?l=openssl-users&m=99604969427707&w=2 [2] http://volatilevoid.net/openssl.cnf [3] http://marc.info/?l=openssl-users&m=102733541014182&w=2
signature.asc
Description: PGP signature
