how to generate new root CA with given start/end dates #910

lesinigo · 2018-07-09T22:49:26Z

I'd like to generate a new root CA with a not_before date of my choice.

My basic, working setup is:

{
  "CN": "My root CA",
  "key": {
    "algo": "ecdsa",
    "size": 384
  },
  "ca": {
    "expiry": "87600h",
    "pathlen": 1
  },
  "names": [{
    "C":  "my country",
    "ST": "my state",
    "L":  "my location",
    "O":  "my org",
    "OU": "my unit"
  }]
}

...and I generate the CA with:

cfssl gencert -initca root_ca.json | cfssljson -bare root_ca

I have tried adding a config.json like this:

{
  "signing": {
    "default": {
      "not_before": "2018-07-01T00:00:00Z",
      "not_after": "2019-07-01T00:00:00Z"
    }
  }
}

or trying the same inside a signing / default block, or similar things.

How could I explicitly set Not Before and Not After (or a Not Before and an expire time) on a Root CA?

I'm not a Go coder but looking at func Update() in initca/initca.go I fear that it is hardcoded to the system's clock...

The text was updated successfully, but these errors were encountered:

chrisgavin · 2019-01-29T12:52:25Z

It's not the exact interface you asked for, but you can use the backdate option with the existing expiry option you've already set to override the time the certificate is valid from.

mmlb linked a pull request Jan 27, 2023 that will close this issue

Add support for NotBefore and NotAfter to initca #1270

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

how to generate new root CA with given start/end dates #910

how to generate new root CA with given start/end dates #910

lesinigo commented Jul 9, 2018

chrisgavin commented Jan 29, 2019

how to generate new root CA with given start/end dates #910

how to generate new root CA with given start/end dates #910

Comments

lesinigo commented Jul 9, 2018

chrisgavin commented Jan 29, 2019