Linux 如何生成不到一天到期的openssl证书?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/11947295/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to generate openssl certificate with expiry less than one day?
提问by m.divya.mohan
I am trying to create CA signed End Entity certificate using openssl commands as shown below, in Linux:
我正在尝试使用如下所示的 openssl 命令在 Linux 中创建 CA 签名的终端实体证书:
# openssl genrsa -des3 -out clientkey.pem 2048
# openssl req -new -key clientkey.pem -out clientcert.csr
# cp clientkey.pem clientkey.pem.org
# openssl rsa -in clientkey.pem.org -out clientkey.pem
# openssl x509 -req -days 1 -in clientcert.csr -out clientcert.pem -CA cacert.pem -CAkey cakey.pem -CAcreateserial
Is it possible to specify the expiry time in hours, instead of days? I need to generate certificates with, say 1 hour expiry time, for some testing.
是否可以以小时而不是天来指定到期时间?我需要生成证书,比如 1 小时的到期时间,以进行一些测试。
Openssl command seems to support some options to specify startdate and enddate, but I am not able to figure out how to use that. ( I am assuming enddate might support specifying date, and time).
Openssl 命令似乎支持一些选项来指定 startdate 和 enddate,但我不知道如何使用它。(我假设 enddate 可能支持指定日期和时间)。
#openssl x509 -req -startdate 120814050000Z -enddate 120814060000Z -in clientcert.csr -out clientcert.pem -CA cacert.pem -CAkey cakey.pem -CAcreateserial
unknown option 120814050000Z
usage: x509 args
.
.
-startdate - notBefore field
-enddate - notAfter field
.
.
-days arg - How long till expiry of a signed certificate - def 30 days
采纳答案by Tom Lee
Or here is another way that I have found to work
或者这是我发现的另一种工作方式
Say I want my certificate to expire in 10 mins as a test
假设我希望我的证书在 10 分钟内到期作为测试
The current date is feb 17th
The current time is 4:40pmFirst I set my system date to -1 day: Feb 16th
I set my system clock to +10 mins: 4:50pm
当前日期为 2 月 17 日
当前时间为下午 4:40首先,我将系统日期设置为 -1 天:2 月 16 日
我将系统时钟设置为 +10 分钟:下午 4:50
I create my cert using openssl x509
to expire in 1 day which really means expire on today Feb 17th
我创建我的证书openssl x509
用于在 1 天内到期,这实际上意味着今天到期Feb 17th
openssl x509 -req -days 1 -in clientcert.csr -signkey cert.key -out ssl.crt
I then reset my system clock and time to the actual date and time and voila you have a certificate that is going to expire in 10 mins!
然后我将系统时钟和时间重置为实际日期和时间,瞧,您的证书将在 10 分钟后过期!
Obviously not the real way to do things but nice and easy for creating self signed certificates for dev use.
显然不是真正的做事方式,但创建供开发人员使用的自签名证书很好且容易。
回答by runfa
The -startdate and -enddate options for the x509 command are display options. You can set specific start and end time using the ca command instead to sign the certificate.
x509 命令的 -startdate 和 -enddate 选项是显示选项。您可以使用 ca 命令设置特定的开始和结束时间来签署证书。
Try something like this:
尝试这样的事情:
openssl ca -config /etc/openssl.cnf -policy policy_anything -out clientcert.pem -startdate 120815080000Z -enddate 120815090000Z -cert ca.pem -keyfile cakey.pem -infiles clientcert.csr
回答by Grzegorz Luczywo
Try gosslthat allows specifying cert validity start date and duration in various time units.
试试gossl,它允许以各种时间单位指定证书有效期的开始日期和持续时间。
I developed it to overcome limitations of command line openssl. The tool is lightweight, implemented in Go, without dependencies, under MIT license.
我开发它是为了克服命令行 openssl 的限制。该工具是轻量级的,在 Go 中实现,没有依赖项,在 MIT 许可下。
回答by assylias
You can set the -days
option to 0:
您可以将该-days
选项设置为 0:
openssl x509 -req -days 0 -in clientcert.csr -signkey cert.key -out ssl.crt
That will create a certificate with a notBefore
and notAfter
equal to the current time (i.e. you certificate will expire immediately).
这将创建一个notBefore
和notAfter
等于当前时间的证书(即您的证书将立即过期)。
回答by Velu
Step-1.Install faketime
第1步。安装 faketime
sudo apt-get install faketime
Step-2.Generate expired certificate a day before currentdate.
第2步。在当前日期前一天生成过期的证书。
faketime 'last friday 5 pm' /bin/bash -c 'openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 6 -nodes'
Step-3Verify the certificate validity date
Step-3验证证书有效期
openssl x509 -noout -text -in cert.pem