1年以上有効なOpenVPN証明書の生成

tag-icon tag-icon openvpn
1年以上有効なOpenVPN証明書の生成

このコマンドは、値を100に変更しても3650に変更しても、365日間のみ有効な証明書を生成し続けますが、結果は同じです。一年。 10年間有効な証明書を生成する方法は?

# openssl req -new -keyout newkey.pem -out newreq.pem -days 3650
Generating a 2048 bit RSA private key
...........................................................+++
.........................+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:State
Locality Name (eg, city) []:City
Organization Name (eg, company) [Internet Widgits PTY Ltd]:company
Organizational Unit Name (eg, section) []:section
Common Name (eg, server FQDN or YOUR name) []:server
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# ./CA.sh -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            cb:32:13:1d:e2:40:2f:e4
        Validity
            Not Before: May 11 17:58:32 2021 GMT
            Not After : May 11 17:58:32 2022 GMT
        Subject:
            countryName               = AU
            stateOrProvinceName       = State
            localityName              = City
            organizationName          = company
            organizationalUnitName    = section
            commonName                = server
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                E7:8A:D9:91:7C:81:BF:C0:CE:D9:43:D7:C8:D8:03:1C:60:85:D0:35
            X509v3 Authority Key Identifier:
                keyid:CF:76:53:4A:FB:01:EC:DE:CE:40:C1:F2:F0:F6:6E:12:57:24:8F:45

Certificate is to be certified until May 11 17:58:32 2022 GMT (365 days)
Sign the certificate? [y/n]:

ベストアンサー1

奇妙な理由で変更する必要があります。default_daysそれ以外の場合は、コマンドラインオプションがopenssl.cnf上書きされます。-days

つまり、次のように編集openssl.confしてください。

default_days = 3650

直感的に、これは明らかに間違っており、ソフトウェアのデフォルトとコマンドラインオプションがどのようにやり取りするのか(そして実際にやり取りするか)という合理的な期待に反していますが、これがうまくいく方法です。

おすすめ記事