Linux 如何生成不到一天到期的openssl证书?

声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow 原文地址: http://stackoverflow.com/questions/11947295/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me): StackOverFlow

提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-08-06 14:04:39  来源:igfitidea点击:

How to generate openssl certificate with expiry less than one day?

linuxopenssl

提问by m.divya.mohan

I am trying to create CA signed End Entity certificate using openssl commands as shown below, in Linux:

我正在尝试使用如下所示的 openssl 命令在 Linux 中创建 CA 签名的终端实体证书:

# openssl genrsa -des3 -out clientkey.pem 2048
# openssl req -new -key clientkey.pem -out clientcert.csr
# cp clientkey.pem clientkey.pem.org
# openssl rsa -in clientkey.pem.org -out clientkey.pem
# openssl x509 -req -days 1 -in clientcert.csr -out clientcert.pem -CA cacert.pem -CAkey cakey.pem -CAcreateserial

Is it possible to specify the expiry time in hours, instead of days? I need to generate certificates with, say 1 hour expiry time, for some testing.

是否可以以小时而不是天来指定到期时间?我需要生成证书,比如 1 小时的到期时间,以进行一些测试。

Openssl command seems to support some options to specify startdate and enddate, but I am not able to figure out how to use that. ( I am assuming enddate might support specifying date, and time).

Openssl 命令似乎支持一些选项来指定 startdate 和 enddate,但我不知道如何使用它。(我假设 enddate 可能支持指定日期和时间)。

#openssl x509 -req -startdate 120814050000Z -enddate 120814060000Z -in clientcert.csr -out clientcert.pem -CA cacert.pem -CAkey cakey.pem -CAcreateserial

unknown option 120814050000Z
usage: x509 args
.
.
-startdate      - notBefore field
-enddate        - notAfter field
.
.
-days arg       - How long till expiry of a signed certificate - def 30 days

采纳答案by Tom Lee

Or here is another way that I have found to work

或者这是我发现的另一种工作方式

Say I want my certificate to expire in 10 mins as a test

假设我希望我的证书在 10 分钟内到期作为测试

The current date is feb 17th
The current time is 4:40pm

First I set my system date to -1 day: Feb 16th
I set my system clock to +10 mins: 4:50pm

当前日期为 2 月 17 日
当前时间为下午 4:40

首先,我将系统日期设置为 -1 天:2 月 16 日
我将系统时钟设置为 +10 分钟:下午 4:50

I create my cert using openssl x509to expire in 1 day which really means expire on today Feb 17th

我创建我的证书openssl x509用于在 1 天内到期,这实际上意味着今天到期Feb 17th

openssl x509 -req -days 1 -in clientcert.csr -signkey cert.key -out ssl.crt

I then reset my system clock and time to the actual date and time and voila you have a certificate that is going to expire in 10 mins!

然后我将系统时钟和时间重置为实际日期和时间,瞧,您的证书将在 10 分钟后过期!

Obviously not the real way to do things but nice and easy for creating self signed certificates for dev use.

显然不是真正的做事方式,但创建供开发人员使用的自签名证书很好且容易。

回答by runfa

The -startdate and -enddate options for the x509 command are display options. You can set specific start and end time using the ca command instead to sign the certificate.

x509 命令的 -startdate 和 -enddate 选项是显示选项。您可以使用 ca 命令设置特定的开始和结束时间来签署证书。

Try something like this:

尝试这样的事情:

openssl ca -config /etc/openssl.cnf -policy policy_anything -out clientcert.pem -startdate 120815080000Z -enddate 120815090000Z -cert ca.pem -keyfile cakey.pem -infiles clientcert.csr

回答by Grzegorz Luczywo

Try gosslthat allows specifying cert validity start date and duration in various time units.

试试gossl,它允许以各种时间单位指定证书有效期的开始日期和持续时间。

I developed it to overcome limitations of command line openssl. The tool is lightweight, implemented in Go, without dependencies, under MIT license.

我开发它是为了克服命令行 openssl 的限制。该工具是轻量级的,在 Go 中实现,没有依赖项,在 MIT 许可下。

回答by assylias

You can set the -daysoption to 0:

您可以将该-days选项设置为 0:

openssl x509 -req -days 0 -in clientcert.csr -signkey cert.key -out ssl.crt

That will create a certificate with a notBeforeand notAfterequal to the current time (i.e. you certificate will expire immediately).

这将创建一个notBeforenotAfter等于当前时间的证书(即您的证书将立即过期)。

回答by Velu

Step-1.Install faketime

第1步。安装 faketime

sudo apt-get install faketime

Step-2.Generate expired certificate a day before currentdate.

第2步。在当前日期前一天生成过期的证书。

faketime 'last friday 5 pm' /bin/bash -c 'openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 6 -nodes'

Step-3Verify the certificate validity date

Step-3验证证书有效期

openssl x509 -noout -text -in cert.pem

Certificate Validity dates - Screenshot

证书有效期 - 屏幕截图