Let us check this using an example: certs]# openssl x509 -req -days -365 -in server.csr -CA cacert.pem -CAkey ca.key -CAcreateserial -out server.crt Here we can provide negative values to provide an past date so the generated certificate will already be expired. We have an option to specify number of days of expiry for the certificate using -days NUM. We also have an option to generate an expired certificate without using any additional tool. Method-2: Generate expired certificate using past date So our certificate is already expired and you can continue with your tests.ĪLSO READ: How to add X.509 extensions to certificate OpenSSL Not After : Jan 1 04:40:10 2011 certs]# openssl verify -CAfile cacert.pem -verbose server.crt We have set the system date to and then we generated a certificate with an expiry of 1 year and yet the certificate will still be expired because the actual date is Ĭheck the validity of this certificate: certs]# openssl x509 -checkend 86400 -noout -in server.crtĬertificate will certs]# openssl x509 -noout -text -in server.crt | grep -i -A2 validity Subject=C = IN, ST = Karnataka, L = Bengaluru, O = GoLinuxCloud, OU = Admin, CN = So, now we can use faketime to manipulate system's date into an old date and then generate a certificate: certs]# faketime ' 10:10:10' openssl x509 -req -days 365 -in server.csr -CA cacert.pem -CAkey ca.key -CAcreateserial -out server.crt Libfaketime-0.9.86_64 : Manipulate system time per process for testing purposesįilename : certs]# yum install libfaketime -yĪs you can see, I executed date command by providing a dummy past date using faketime and date command returned the same date while the actual system's date was not changed. Last metadata expiration check: 0:01:51 ago on Tue 10:15:29 AM IST. Now instead of modifying system's date and time we can use faketime tool to trick openssl into providing a different date and time.įor RHEL/CentOS/Fedora you must install epel-repo to install faketime: certs]# yum install certs]# yum whatprovides */faketime Method-1: generate expired certificate using faketime with openssl In this scenario we do not have a certificate yet and we are actually planning to generate a new certificate. Scenario-1: Generate an expired certificate Let us look into different scenarios and examples to check this further: So this exercise should explain the answer to the question " how openssl determines if any certificate has expired or not"ĪLSO READ: Steps to generate CSR for SAN certificate with openssl Let us verify the certificate against rootCA: certs]# openssl verify -CAfile cacert.pem -verbose server.crtĬ = IN, ST = KARNATAKA, L = BENGALORE, O = GoLinuxCloud, OU = Admin, CN = RootCAĮrror 10 at 1 depth lookup: certificate has expiredĬ = IN, ST = Karnataka, L = Bengaluru, O = GoLinuxCloud, OU = Admin, CN = Įrror 10 at 0 depth lookup: certificate has expired So basically our certificate is marked as to be expired. Now check the validity of the certificate: certs]# openssl x509 -checkend 86400 -noout -in server.crt I will use a different method to manipulate system's date and time later in this article which would be the recommended way.Īs per above validity check we did with openssl command, our server certificate is going to expire on so let me change my date to any day after this date: certs]# date -set " 10:10:10" You should use this only in lab environment when you are aware of the impacts. The below command was executed to just give you a demonstration. It is not a recommended method to change system's date and time runtime to such future date as this would impact many system features. OpenSSL create certificate chain with Root & Intermediate CA You may follow these article to generate your own RootCA and server certificate before starting with this tutorial (if you don't already have one):Ĭreate Certificate Authority and sign a certificate with Root CA In this article I will only execute the commands related to generate a signed server certificate. I have already generate RootCA certificate, Private Key and CSR for Server certificate. In this tutorial I will share different tips and tricks which you can utilise to expire any certificate generated with openssl. But there are a couple of tricks which can be used to achieve this. So how do we manually expire any certificate? Actually there is no such command which you can execute to just mark any certificate as expired. Now to verify such alarm you would want the certificate to be expired right? For example you have configured an alarm to be triggered when any certificate is about to be expired. There are multiple lab use cases where we want to test certain scenarios which requires a certificate to be expired.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |