Solved

OpenSSL certificate expiration date

Posted on 2011-03-10
15
2,702 Views
Last Modified: 2012-05-11
Hello,
 I am trying to script SSL certificate creation for our internal testing environment. We have a large testing environment with close to 80 certificates. I am trying to set the certificates to expire at the maximum of 2037  as if they go into 2038 than the OpenSSL fails to produce the certificates. I used the -days but you have to manually decrement the number to keep it from going into 2038. I need to figure out a way to have it automatically decrement the -days so the certificates will expire in 2037 no matter who runs the utility. Any help would be great.....
0
Comment
Question by:J1thatguy
  • 9
  • 6
15 Comments
 
LVL 39

Expert Comment

by:noci
ID: 35113473
openssl .... -days $( perl -e 'print sprintf("%d",((((2**31)-1)-(time))/86400))."\n;"'  ) ....

Should help:
2**31 = 2147483648         (this is the maximum time in seconds represented in a signed longword).
                                        (and for a date in seconds since 1970 it is about 19 jan 2038.)
if you subtract the current time in seconds since 1970 (time()) then you have the seconds left until 2038.
then device by 86400 (number of seconds in a day) you then have the days until that date.
(And truncate it to an integer using the sprintf. and print it to stdout for the shell...

$(   ..... ) execute the command between the braces () and picks the stdout from that subshell and substitutes it at the command.


0
 
LVL 39

Expert Comment

by:noci
ID: 35113475
(Oh if this a number of days off you can allways subtract a number of days. ;-)
0
 

Author Comment

by:J1thatguy
ID: 35114477
Yes i need it to calculate number of days to limit it to a cert that expires in 2037. Not sure how to convert that to days but the commands as it stands just opens a text file with "47" in it and the certificate utility stops there. I will keep trying to get it to work but any guidance would be great as I am not a programmer by any means. Thanx for the help so far as I believe this is real close to solving the issue
0
 

Author Comment

by:J1thatguy
ID: 35114480
sorry that pop up is unrelated.....
0
 
LVL 39

Accepted Solution

by:
noci earned 500 total points
ID: 35115000
(31 december 2037 = clocktick ~2145916799 )       (Calculated constant)
now                       = clocktick 1299915867    )      ( output of the perl  time function )
So time until then is 846000932 clockticks.

with 86400 clockticks per day that makes:
846000932 / 86400 =    9791.6774537037 day until 31 dec 2037.

(or in whole numbers: 9791 days )...
  perl -e 'print sprintf("%d",((2145916799-time)/86400))."\n;"'
or
  perl -e 'print int(2145916799-time)/86400)."\n;"'

should give you a number 9791 on march 12th. (GMT)...

$( ... ) is a bash shell expression to  include the output of some command into a commandline
If the line is multiple output then all lines are put after one another with a space in between:
compare the output of:
  ls -1
and
  echo $( ls -1 )
("ls -(one)" not "ls - (el)")
0
 

Author Comment

by:J1thatguy
ID: 35115007
I get "bad number of days" using
-days $( perl -e 'print sprintf("%d",((((2**31)-1)-(time))/86400))."\n;"'  )

but if I run the command with perl at the command line it calculates the days correctly. So I must be missing some thing small now about getting perl to execute inside the batch file. Will start researching some more...
0
 

Author Comment

by:J1thatguy
ID: 35115064
if I run the command as is I get bad number of days. I don't think it is reading the output correctly as it work at the command line

openssl x509 -req -in c:\Certs\test\%%A-2037\%%A.csr -days $(c:\\bin\perl -e 'print sprintf("%d",((2145916799-time)/86400))."\n;"') -CA CA_root_ca.2036.cert -CAkey

CA_root_ca.key -passin pass:#### -CAserial serial.txt -out c:\Certs\test\%%A-2037\%%A.cer -text

so close..
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Closing Comment

by:J1thatguy
ID: 35115242
I still need to work out how to get iit to work in my script but it does calculate the days correclty. Very impressed...
0
 
LVL 39

Expert Comment

by:noci
ID: 35115491
Are you using a windows batch file? %%A seems to indicate that.
Then obviously $( ) will not work...
But if you use openssl then chances are that you use cygwin.
Bash is also the default shell for cygwin....
Otherwise you can think about installing cygwin. It free & opensource, and provides a unix environment within windows. (openssl is part of that too, as well as ssh f.e.).
0
 

Author Comment

by:J1thatguy
ID: 35115495
Sorry just got the last part

ls -1 gives me the directory listing

echo $(ls -1) gives me $(ls-1)

0
 
LVL 39

Expert Comment

by:noci
ID: 35115537
And echo $( ls -1 ) should also give you a directory listing but all on one line.
0
 

Author Comment

by:J1thatguy
ID: 35115574
oddly it just prints the command $( ls -1 )

I am trying to set the perl output to a variable to get around this but also having a tough time getting it to work so far.
0
 

Author Comment

by:J1thatguy
ID: 35115665
Yes its windows and unfortunately I am creating this in an app for people to use so having them all install bash will be difficult. I believe they downloaded openssl as cygwin is not present on this system.
0
 
LVL 39

Expert Comment

by:noci
ID: 35132765
Now I am getting out of my leage here..
Does this work?

FOR /F "usebackq" %X (` perl -e '...' `) do set days=%X

0
 

Author Comment

by:J1thatguy
ID: 35132886
Your calculation worked. I uses it to set a variable and passed that to OpenSSL. I just had to remove the extra line it was creating in the file. Thank you for the help.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

We've all had that page pop up telling us there is a problem with the certificate and some of us continue on anyways and others run away to a safer competing site.  But what to do when you get the error - is it your problem or theirs?  What can you …
Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now