Solved

OpenSSL certificate expiration date

Posted on 2011-03-10
15
2,845 Views
Last Modified: 2012-05-11
Hello,
 I am trying to script SSL certificate creation for our internal testing environment. We have a large testing environment with close to 80 certificates. I am trying to set the certificates to expire at the maximum of 2037  as if they go into 2038 than the OpenSSL fails to produce the certificates. I used the -days but you have to manually decrement the number to keep it from going into 2038. I need to figure out a way to have it automatically decrement the -days so the certificates will expire in 2037 no matter who runs the utility. Any help would be great.....
0
Comment
Question by:J1thatguy
  • 9
  • 6
15 Comments
 
LVL 40

Expert Comment

by:noci
ID: 35113473
openssl .... -days $( perl -e 'print sprintf("%d",((((2**31)-1)-(time))/86400))."\n;"'  ) ....

Should help:
2**31 = 2147483648         (this is the maximum time in seconds represented in a signed longword).
                                        (and for a date in seconds since 1970 it is about 19 jan 2038.)
if you subtract the current time in seconds since 1970 (time()) then you have the seconds left until 2038.
then device by 86400 (number of seconds in a day) you then have the days until that date.
(And truncate it to an integer using the sprintf. and print it to stdout for the shell...

$(   ..... ) execute the command between the braces () and picks the stdout from that subshell and substitutes it at the command.


0
 
LVL 40

Expert Comment

by:noci
ID: 35113475
(Oh if this a number of days off you can allways subtract a number of days. ;-)
0
 

Author Comment

by:J1thatguy
ID: 35114477
Yes i need it to calculate number of days to limit it to a cert that expires in 2037. Not sure how to convert that to days but the commands as it stands just opens a text file with "47" in it and the certificate utility stops there. I will keep trying to get it to work but any guidance would be great as I am not a programmer by any means. Thanx for the help so far as I believe this is real close to solving the issue
0
Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

 

Author Comment

by:J1thatguy
ID: 35114480
sorry that pop up is unrelated.....
0
 
LVL 40

Accepted Solution

by:
noci earned 500 total points
ID: 35115000
(31 december 2037 = clocktick ~2145916799 )       (Calculated constant)
now                       = clocktick 1299915867    )      ( output of the perl  time function )
So time until then is 846000932 clockticks.

with 86400 clockticks per day that makes:
846000932 / 86400 =    9791.6774537037 day until 31 dec 2037.

(or in whole numbers: 9791 days )...
  perl -e 'print sprintf("%d",((2145916799-time)/86400))."\n;"'
or
  perl -e 'print int(2145916799-time)/86400)."\n;"'

should give you a number 9791 on march 12th. (GMT)...

$( ... ) is a bash shell expression to  include the output of some command into a commandline
If the line is multiple output then all lines are put after one another with a space in between:
compare the output of:
  ls -1
and
  echo $( ls -1 )
("ls -(one)" not "ls - (el)")
0
 

Author Comment

by:J1thatguy
ID: 35115007
I get "bad number of days" using
-days $( perl -e 'print sprintf("%d",((((2**31)-1)-(time))/86400))."\n;"'  )

but if I run the command with perl at the command line it calculates the days correctly. So I must be missing some thing small now about getting perl to execute inside the batch file. Will start researching some more...
0
 

Author Comment

by:J1thatguy
ID: 35115064
if I run the command as is I get bad number of days. I don't think it is reading the output correctly as it work at the command line

openssl x509 -req -in c:\Certs\test\%%A-2037\%%A.csr -days $(c:\\bin\perl -e 'print sprintf("%d",((2145916799-time)/86400))."\n;"') -CA CA_root_ca.2036.cert -CAkey

CA_root_ca.key -passin pass:#### -CAserial serial.txt -out c:\Certs\test\%%A-2037\%%A.cer -text

so close..
0
 

Author Closing Comment

by:J1thatguy
ID: 35115242
I still need to work out how to get iit to work in my script but it does calculate the days correclty. Very impressed...
0
 
LVL 40

Expert Comment

by:noci
ID: 35115491
Are you using a windows batch file? %%A seems to indicate that.
Then obviously $( ) will not work...
But if you use openssl then chances are that you use cygwin.
Bash is also the default shell for cygwin....
Otherwise you can think about installing cygwin. It free & opensource, and provides a unix environment within windows. (openssl is part of that too, as well as ssh f.e.).
0
 

Author Comment

by:J1thatguy
ID: 35115495
Sorry just got the last part

ls -1 gives me the directory listing

echo $(ls -1) gives me $(ls-1)

0
 
LVL 40

Expert Comment

by:noci
ID: 35115537
And echo $( ls -1 ) should also give you a directory listing but all on one line.
0
 

Author Comment

by:J1thatguy
ID: 35115574
oddly it just prints the command $( ls -1 )

I am trying to set the perl output to a variable to get around this but also having a tough time getting it to work so far.
0
 

Author Comment

by:J1thatguy
ID: 35115665
Yes its windows and unfortunately I am creating this in an app for people to use so having them all install bash will be difficult. I believe they downloaded openssl as cygwin is not present on this system.
0
 
LVL 40

Expert Comment

by:noci
ID: 35132765
Now I am getting out of my leage here..
Does this work?

FOR /F "usebackq" %X (` perl -e '...' `) do set days=%X

0
 

Author Comment

by:J1thatguy
ID: 35132886
Your calculation worked. I uses it to set a variable and passed that to OpenSSL. I just had to remove the extra line it was creating in the file. Thank you for the help.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We've all had that page pop up telling us there is a problem with the certificate and some of us continue on anyways and others run away to a safer competing site.  But what to do when you get the error - is it your problem or theirs?  What can you …
So you need a certificate so you can offer SSL encryption.  But which one should you get?  There are so many choices out there! Here is a generic overview of the main types of SSL certificates sold by the majority of commercial Certification Auth…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

766 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question