?
Solved

OpenSSL certificate expiration date

Posted on 2011-03-10
15
Medium Priority
?
3,096 Views
Last Modified: 2012-05-11
Hello,
 I am trying to script SSL certificate creation for our internal testing environment. We have a large testing environment with close to 80 certificates. I am trying to set the certificates to expire at the maximum of 2037  as if they go into 2038 than the OpenSSL fails to produce the certificates. I used the -days but you have to manually decrement the number to keep it from going into 2038. I need to figure out a way to have it automatically decrement the -days so the certificates will expire in 2037 no matter who runs the utility. Any help would be great.....
0
Comment
Question by:J1thatguy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
15 Comments
 
LVL 40

Expert Comment

by:noci
ID: 35113473
openssl .... -days $( perl -e 'print sprintf("%d",((((2**31)-1)-(time))/86400))."\n;"'  ) ....

Should help:
2**31 = 2147483648         (this is the maximum time in seconds represented in a signed longword).
                                        (and for a date in seconds since 1970 it is about 19 jan 2038.)
if you subtract the current time in seconds since 1970 (time()) then you have the seconds left until 2038.
then device by 86400 (number of seconds in a day) you then have the days until that date.
(And truncate it to an integer using the sprintf. and print it to stdout for the shell...

$(   ..... ) execute the command between the braces () and picks the stdout from that subshell and substitutes it at the command.


0
 
LVL 40

Expert Comment

by:noci
ID: 35113475
(Oh if this a number of days off you can allways subtract a number of days. ;-)
0
 

Author Comment

by:J1thatguy
ID: 35114477
Yes i need it to calculate number of days to limit it to a cert that expires in 2037. Not sure how to convert that to days but the commands as it stands just opens a text file with "47" in it and the certificate utility stops there. I will keep trying to get it to work but any guidance would be great as I am not a programmer by any means. Thanx for the help so far as I believe this is real close to solving the issue
0
Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

 

Author Comment

by:J1thatguy
ID: 35114480
sorry that pop up is unrelated.....
0
 
LVL 40

Accepted Solution

by:
noci earned 2000 total points
ID: 35115000
(31 december 2037 = clocktick ~2145916799 )       (Calculated constant)
now                       = clocktick 1299915867    )      ( output of the perl  time function )
So time until then is 846000932 clockticks.

with 86400 clockticks per day that makes:
846000932 / 86400 =    9791.6774537037 day until 31 dec 2037.

(or in whole numbers: 9791 days )...
  perl -e 'print sprintf("%d",((2145916799-time)/86400))."\n;"'
or
  perl -e 'print int(2145916799-time)/86400)."\n;"'

should give you a number 9791 on march 12th. (GMT)...

$( ... ) is a bash shell expression to  include the output of some command into a commandline
If the line is multiple output then all lines are put after one another with a space in between:
compare the output of:
  ls -1
and
  echo $( ls -1 )
("ls -(one)" not "ls - (el)")
0
 

Author Comment

by:J1thatguy
ID: 35115007
I get "bad number of days" using
-days $( perl -e 'print sprintf("%d",((((2**31)-1)-(time))/86400))."\n;"'  )

but if I run the command with perl at the command line it calculates the days correctly. So I must be missing some thing small now about getting perl to execute inside the batch file. Will start researching some more...
0
 

Author Comment

by:J1thatguy
ID: 35115064
if I run the command as is I get bad number of days. I don't think it is reading the output correctly as it work at the command line

openssl x509 -req -in c:\Certs\test\%%A-2037\%%A.csr -days $(c:\\bin\perl -e 'print sprintf("%d",((2145916799-time)/86400))."\n;"') -CA CA_root_ca.2036.cert -CAkey

CA_root_ca.key -passin pass:#### -CAserial serial.txt -out c:\Certs\test\%%A-2037\%%A.cer -text

so close..
0
 

Author Closing Comment

by:J1thatguy
ID: 35115242
I still need to work out how to get iit to work in my script but it does calculate the days correclty. Very impressed...
0
 
LVL 40

Expert Comment

by:noci
ID: 35115491
Are you using a windows batch file? %%A seems to indicate that.
Then obviously $( ) will not work...
But if you use openssl then chances are that you use cygwin.
Bash is also the default shell for cygwin....
Otherwise you can think about installing cygwin. It free & opensource, and provides a unix environment within windows. (openssl is part of that too, as well as ssh f.e.).
0
 

Author Comment

by:J1thatguy
ID: 35115495
Sorry just got the last part

ls -1 gives me the directory listing

echo $(ls -1) gives me $(ls-1)

0
 
LVL 40

Expert Comment

by:noci
ID: 35115537
And echo $( ls -1 ) should also give you a directory listing but all on one line.
0
 

Author Comment

by:J1thatguy
ID: 35115574
oddly it just prints the command $( ls -1 )

I am trying to set the perl output to a variable to get around this but also having a tough time getting it to work so far.
0
 

Author Comment

by:J1thatguy
ID: 35115665
Yes its windows and unfortunately I am creating this in an app for people to use so having them all install bash will be difficult. I believe they downloaded openssl as cygwin is not present on this system.
0
 
LVL 40

Expert Comment

by:noci
ID: 35132765
Now I am getting out of my leage here..
Does this work?

FOR /F "usebackq" %X (` perl -e '...' `) do set days=%X

0
 

Author Comment

by:J1thatguy
ID: 35132886
Your calculation worked. I uses it to set a variable and passed that to OpenSSL. I just had to remove the extra line it was creating in the file. Thank you for the help.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question