OpenSSL client certificate expires in 30 days

Posted at 9:30:24 PM in Security (4) | Read count: 2067

In my previous discussion on this topic, I listed a link that I thought was very helpful. In creating the server certificate, there is an option -days 3650, but that option is omitted when creating the postgresql.crt file. The default OpenSSL expiration is 30 days meaning the client certificates would expire forcing me to recreate new ones.

The solution is simple. From the howtoforge site change this:

openssl x509 -req -in /tmp/postgresql.csr -CA root.crt -CAkey server.key -out /tmp/postgresql.crt -CAcreateserial

and add the -days option

openssl x509 -req -in /tmp/postgresql.csr -CA root.crt -CAkey server.key -out /tmp/postgresql.crt -CAcreateserial -days 3650

You can test the dates by issuing this command:

openssl x509 -noout -dates -issuer -subject -in postgresql.crt

Your out put should be something like this:
notBefore=Oct  1 00:10:46 2013 GMT
notAfter=Sep 29 00:10:46 2023 GMT

Written by Leonard Rogers on Tuesday, October 1, 2013 | Comments (0)

    Email address is not published
    Remember Me

    CAPTCHA Reload
    Write the characters in the image above