Openssl is not creating certificates with expected expiration date

I have a self signed root CA certificate and key

I am trying to create a server certificate which will be signed by this CA

Here are the steps I took:

1) Generate a server key

openssl genrsa -out server.key 2048

2) Generate a signing request specifying 365 days

openssl req -new -key server.key -out server.csr -days 365 -sha256

3) Sign the request using the self signed CA

openssl x509 -req -in server.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out server.crt -sha256

When I check my newly created cert as follows:

openssl x509 -noout -text -in server.crt

I can see this in the output:

Validity Not Before: May 8 14:19:44 2017 GMT Not After : Jun 7 14:19:44 2017 GMT

I'm not sure what I'm doing wrong here? Why didn't it create a cert with the correct expiration date even though I specified 365 days?

Best Answer

The certificate validity should be specified in the last step as in:

openssl x509 -req -in server.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out server.crt -sha256 -days 365

Otherwise, while you are requesting 365 days while creating the CSR, when you sign it the signing default configuration overrides the days of the CSR request.

Best Answer

Related Solutions

Generating duplicate certificates with OpenSSL CA

Related Question