Solved

OpenSSL certificate expiration date

Posted on 2011-03-10
15
2,953 Views
Last Modified: 2012-05-11
Hello,
 I am trying to script SSL certificate creation for our internal testing environment. We have a large testing environment with close to 80 certificates. I am trying to set the certificates to expire at the maximum of 2037  as if they go into 2038 than the OpenSSL fails to produce the certificates. I used the -days but you have to manually decrement the number to keep it from going into 2038. I need to figure out a way to have it automatically decrement the -days so the certificates will expire in 2037 no matter who runs the utility. Any help would be great.....
0
Comment
Question by:J1thatguy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
15 Comments
 
LVL 40

Expert Comment

by:noci
ID: 35113473
openssl .... -days $( perl -e 'print sprintf("%d",((((2**31)-1)-(time))/86400))."\n;"'  ) ....

Should help:
2**31 = 2147483648         (this is the maximum time in seconds represented in a signed longword).
                                        (and for a date in seconds since 1970 it is about 19 jan 2038.)
if you subtract the current time in seconds since 1970 (time()) then you have the seconds left until 2038.
then device by 86400 (number of seconds in a day) you then have the days until that date.
(And truncate it to an integer using the sprintf. and print it to stdout for the shell...

$(   ..... ) execute the command between the braces () and picks the stdout from that subshell and substitutes it at the command.


0
 
LVL 40

Expert Comment

by:noci
ID: 35113475
(Oh if this a number of days off you can allways subtract a number of days. ;-)
0
 

Author Comment

by:J1thatguy
ID: 35114477
Yes i need it to calculate number of days to limit it to a cert that expires in 2037. Not sure how to convert that to days but the commands as it stands just opens a text file with "47" in it and the certificate utility stops there. I will keep trying to get it to work but any guidance would be great as I am not a programmer by any means. Thanx for the help so far as I believe this is real close to solving the issue
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:J1thatguy
ID: 35114480
sorry that pop up is unrelated.....
0
 
LVL 40

Accepted Solution

by:
noci earned 500 total points
ID: 35115000
(31 december 2037 = clocktick ~2145916799 )       (Calculated constant)
now                       = clocktick 1299915867    )      ( output of the perl  time function )
So time until then is 846000932 clockticks.

with 86400 clockticks per day that makes:
846000932 / 86400 =    9791.6774537037 day until 31 dec 2037.

(or in whole numbers: 9791 days )...
  perl -e 'print sprintf("%d",((2145916799-time)/86400))."\n;"'
or
  perl -e 'print int(2145916799-time)/86400)."\n;"'

should give you a number 9791 on march 12th. (GMT)...

$( ... ) is a bash shell expression to  include the output of some command into a commandline
If the line is multiple output then all lines are put after one another with a space in between:
compare the output of:
  ls -1
and
  echo $( ls -1 )
("ls -(one)" not "ls - (el)")
0
 

Author Comment

by:J1thatguy
ID: 35115007
I get "bad number of days" using
-days $( perl -e 'print sprintf("%d",((((2**31)-1)-(time))/86400))."\n;"'  )

but if I run the command with perl at the command line it calculates the days correctly. So I must be missing some thing small now about getting perl to execute inside the batch file. Will start researching some more...
0
 

Author Comment

by:J1thatguy
ID: 35115064
if I run the command as is I get bad number of days. I don't think it is reading the output correctly as it work at the command line

openssl x509 -req -in c:\Certs\test\%%A-2037\%%A.csr -days $(c:\\bin\perl -e 'print sprintf("%d",((2145916799-time)/86400))."\n;"') -CA CA_root_ca.2036.cert -CAkey

CA_root_ca.key -passin pass:#### -CAserial serial.txt -out c:\Certs\test\%%A-2037\%%A.cer -text

so close..
0
 

Author Closing Comment

by:J1thatguy
ID: 35115242
I still need to work out how to get iit to work in my script but it does calculate the days correclty. Very impressed...
0
 
LVL 40

Expert Comment

by:noci
ID: 35115491
Are you using a windows batch file? %%A seems to indicate that.
Then obviously $( ) will not work...
But if you use openssl then chances are that you use cygwin.
Bash is also the default shell for cygwin....
Otherwise you can think about installing cygwin. It free & opensource, and provides a unix environment within windows. (openssl is part of that too, as well as ssh f.e.).
0
 

Author Comment

by:J1thatguy
ID: 35115495
Sorry just got the last part

ls -1 gives me the directory listing

echo $(ls -1) gives me $(ls-1)

0
 
LVL 40

Expert Comment

by:noci
ID: 35115537
And echo $( ls -1 ) should also give you a directory listing but all on one line.
0
 

Author Comment

by:J1thatguy
ID: 35115574
oddly it just prints the command $( ls -1 )

I am trying to set the perl output to a variable to get around this but also having a tough time getting it to work so far.
0
 

Author Comment

by:J1thatguy
ID: 35115665
Yes its windows and unfortunately I am creating this in an app for people to use so having them all install bash will be difficult. I believe they downloaded openssl as cygwin is not present on this system.
0
 
LVL 40

Expert Comment

by:noci
ID: 35132765
Now I am getting out of my leage here..
Does this work?

FOR /F "usebackq" %X (` perl -e '...' `) do set days=%X

0
 

Author Comment

by:J1thatguy
ID: 35132886
Your calculation worked. I uses it to set a variable and passed that to OpenSSL. I just had to remove the extra line it was creating in the file. Thank you for the help.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We've all had that page pop up telling us there is a problem with the certificate and some of us continue on anyways and others run away to a safer competing site.  But what to do when you get the error - is it your problem or theirs?  What can you …
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question