OpenSSL "req -x509 -days" - Longer Self-Signed Certificate

Q

Can I sign my own CSR with a longer expiration date using the OpenSSL "req -x509" command? I want to use this certificate as an internal root CA for 10 years.

✍: FYIcenter.com

A

Yes, you can sign you own CSR (Certificate Sign Request) with a longer expiration date using the OpenSSL "req -x509 -days" command as shown below. Without the "-days" option, the resulting certificate is only valid for 30 days. See the example below:

C:\Users\fyicenter>\local\openssl\openssl.exe

OpenSSL> req -x509 -in rsa_test.csr -key rsa_test.key -out rsa_test.crt 
   -days 3650
Enter pass phrase for rsa_test.key:fyicenter

OpenSSL> x509 -in rsa_test.crt -dates -noout
notBefore=Aug 21 13:26:41 2016 GMT
notAfter=Aug 19 13:26:41 2026 GMT

 

OpenSSL "req -x509 -set_serial" - Certificate Serial Number

OpenSSL "req -x509" - Sign My Own CSR

OpenSSL "req" Command

⇑⇑ OpenSSL Tutorials

2016-11-11, 1281👍, 0💬