Why openssl ignore -days for expiration date for self signed certificate?
The validity is set with openssl x509
and not with openssl req
.
It you put the -days
option with x509
command, it will work.
You get the 30/08 because there isn't a -days
option that override the default certificate validity of 30 days, as mentioned in x509
the man page:
-days arg
specifies the number of days to make a certificate valid for. The default is 30 days.
Side note, generating certificate with 358000 days (980 years!) validity is too long if you want reasonable security.
The validity period of a certificate is set when that certificate is generated.
openssl req
by itself generates a certificate signing request (CSR).-days
specified here will be ignored.openssl x509
issues a certificate from a CSR. This is where-days
should be specified.
But:
-
openssl req -x509
combinesreq
andx509
into one; it generates a CSR and signs it, issuing a certificate in one go. That's whyreq
supports the-days
flag, as it passes it internally to thex509
command.