Why openssl ignore -days for expiration date for self signed certificate?

The validity is set with openssl x509 and not with openssl req. It you put the -days option with x509 command, it will work.

You get the 30/08 because there isn't a -days option that override the default certificate validity of 30 days, as mentioned in x509 the man page:

-days arg
specifies the number of days to make a certificate valid for. The default is 30 days.

Side note, generating certificate with 358000 days (980 years!) validity is too long if you want reasonable security.


The validity period of a certificate is set when that certificate is generated.

  • openssl req by itself generates a certificate signing request (CSR). -days specified here will be ignored.

  • openssl x509 issues a certificate from a CSR. This is where -days should be specified.

But:

  • openssl req -x509 combines req and x509 into one; it generates a CSR and signs it, issuing a certificate in one go. That's why req supports the -days flag, as it passes it internally to the x509 command.