我正在按照与此答案类似的步骤来创建本地 CA。
尽管default_days在我的配置文件中将选项设置为 1825(天),但生成的 CA 证书始终设置为在创建后 30 天过期。
我通过查看生成的 PEM 文件来确认这一点
openssl x509 -in ./cacert.pem -text -noout
这是我用来创建 CA 证书的配置文件:
HOME = .
RANDFILE = $ENV::HOME/.rnd
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
default_days = 1825 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = sha256 # use public key default MD
preserve = no # keep passed DN ordering
x509_extensions = ca_extensions # The extensions to add to the cert
email_in_dn = no # Don't concat the email in the DN
copy_extensions = copy # Required to copy SANs from CSR to cert
base_dir = ./CA
certificate = $base_dir/cacert.pem # The CA certifcate
private_key = $base_dir/private/cakey.pem # The CA private key
new_certs_dir = $base_dir/newcerts # Location for new certs after signing
database = $base_dir/index.txt # Database index file
serial = $base_dir/serial # The current serial number
unique_subject = no # Set to 'no' to allow creation of
# several certificates with same subject.
####################################################################
[ req ]
default_bits = 4096
default_keyfile = cakey.pem
distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions
string_mask = utf8only
####################################################################
[ ca_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = CA
localityName = Locality Name (eg, city)
localityName_default = Bakersfield
organizationName = Organization Name (eg, company)
organizationName_default = Some Company
organizationalUnitName = Organizational Unit (eg, division)
organizationalUnitName_default = Some Org Unit
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = some-local-CA
emailAddress = Email Address
emailAddress_default = [email protected]
####################################################################
[ ca_extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = keyCertSign, cRLSign
####################################################################
[ signing_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ signing_req ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
然后我使用此命令(同一目录)创建本地 CA:
openssl req -x509 -config ./openssl-ca.cnf -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM
我尝试将default_crl_days选项设置为 30 以外的值,但似乎没有任何效果。
如何指定本地 CA 的到期日期(或到期前的天数)?
通过生成 CA 和 CA-INT 的设置,我的有效期得到以下信息:
我开始发现,我只能通过
openssl直接通过-days开关将其传递给它来使其工作。例如:
如果您按照链接的问题/答案进行操作,则海报将
openssl req用于生成证书。如果命令行上没有特定-days选项,该命令默认为 30 天:命令也是如此
x509:default_days,default_startdate并且default_enddate在选项文件中仅与openssl ca命令一起使用(不是req或x509)。