4

I am fairly new to OpenSSL and I am trying to specify a certificate that is valid for just one hour using OpenSSL. I have been successful in doing so with openssl ca using the -startdate and -enddate options, but I was wondering if it is possible to set the validity in a configuration file for use with openssl req? If so, could you provide an example?

I tried using similar syntax as:

privateKeyUsagePeriod = ASN1:SEQUENCE:privateKeyUsagePeriod

[privateKeyUsagePeriod]

notBefore = IMPLICIT:0,GENERALIZEDTIME:20170501000000Z

notAfter = IMPLICIT:0,GENERALIZEDTIME:22910501000000Z

This syntax does not seem to work for the validity. Thank you all in advance for any guidance you can give me.

grawity
  • 501,077
MOT
  • 73

1 Answers1

3

First, your example for PrivateKeyUsagePeriod is wrong; notAfter should be tagged 1 not 0. Although since practically no software ever looks at PKUP, this error may not matter.

More substantively, PKUP is an extension and X509v3 extensions use an OID+varying structure that requires OpenSSL to allow essentially any ASN.1 type in order to support future additions without code change. Validity is part of the fixed part (from v1) and is implemented by specific code, and is not the same type anyway (not tagged, not OPTIONAL, and CHOICE{UTCTime,GeneralizedTime}).

For openssl ca you can use default_startdate and default_enddate in the config file section named by default_ca (not the one named by x509_extensions) instead of the commandline options. See the man page on your system or on the web under 'CONFIGURATION FILE OPTIONS'.

For other commandline operations there is currently no code supporting this; you can either write your own app(s) calling the library, or since OpenSSL is opensource just make a copy and modify it.

dave_thompson_085
  • 4,082