[SOLVED] Certificate expiration date questions

angel115 · 11-10-2011, 10:07 AM

Hello There,

I setup a pure ftp server with TLS encryption, it all work fine for now.

But my question is about the certificate
I though I gave it a life time of 10 years, but when I check the expiration date it seems to expire in 30 days:

Code:

# openssl x509 -noout -in /etc/ssl/private/pure-ftpd.pem -dates
notBefore=Nov 10 15:16:36 2011 GMT
notAfter=Dec 10 15:16:36 2011 GMT
#

1. Does that mean that it will expire on the "Dec 10 15:16:36 2011 GMT"? Or only that it have to be recheck after that date?

2. How can I see the validity date of the certificate?

3. What will happen when the certificate will expire? Will the users still able to connect via TLS if I don't renew it in time?

As this server, is made to go in production soon, I do prefer to have the answer of these question before to get stuck and see all my users complaining.

Thank you for your help,
Angel.

bathory · 11-10-2011, 12:41 PM

Hi,

1. Yes it will expire on that date.
2. Using the same openssl command as you already did.
3. I guess it will continue to work, but it will show a warning to clients that the certificate has expired.

Regards

angel115 · 11-11-2011, 02:19 AM

Ok thanks a lot for these answer.

And how can I do to set the expiration date of the certificate at the creation?

As I've already put the default_crl_days and the default_days to 3650 in my /etc/ssl/openssl.cnf file.

Best regards,
Angel.

bathory · 11-11-2011, 02:52 AM

Hi,

I don't use a openssl.cnf file, but rather a command like:

Code:

openssl req -x509 -nodes -days 3650 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem

Regards

angel115 · 11-11-2011, 03:01 AM

Quote:

Originally Posted by bathory

Code:

openssl req -x509 -nodes -days 3650 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem

Good job, that works fine.

Thanks a lot,
Angel.