I have a self signed root CA certificate and key
I am trying to create a server certificate which will be signed by this CA
Here are the steps I took:
1) Generate a server key
openssl genrsa -out server.key 2048
2) Generate a signing request specifying 365 days
openssl req -new -key server.key -out server.csr -days 365 -sha256
3) Sign the request using the self signed CA
openssl x509 -req -in server.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out server.crt -sha256
When I check my newly created cert as follows:
openssl x509 -noout -text -in server.crt
I can see this in the output:
Validity
Not Before: May 8 14:19:44 2017 GMT
Not After : Jun 7 14:19:44 2017 GMT
I'm not sure what I'm doing wrong here? Why didn't it create a cert with the correct expiration date even though I specified 365 days?
Best Answer
The certificate validity should be specified in the last step as in:
openssl x509 -req -in server.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out server.crt -sha256 -days 365
Otherwise, while you are requesting 365 days while creating the CSR, when you sign it the signing default configuration overrides the days of the CSR request.