Re: [PLUG] expiring certificates quickly

Rich Freeman via plug on 13 Oct 2020 12:01:33 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] expiring certificates quickly

From: Rich Freeman via plug <plug@lists.phillylinux.org>
To: Rita <rmorgan466@gmail.com>
Subject: Re: [PLUG] expiring certificates quickly
Date: Tue, 13 Oct 2020 15:00:36 -0400
Cc: PLUG -- Philly Linux Users Group <plug@lists.phillylinux.org>
Reply-to: Rich Freeman <r-plug@thefreemanclan.net>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

On Tue, Oct 13, 2020 at 2:23 PM Rita via plug
<plug@lists.phillylinux.org> wrote:
>
> I am setting up postgresql ssl authentication (https://www.postgresql.org/docs/9.5/ssl-tcp.html). I have it working but I am curious if I can expire my certificates quicker.
>
> Here is how I request a client cert
>
> openssl x509 -req -in client/client.csr -days 1 \
>         -CA certs/ca.crt -CAkey keys/ca.key -CAcreateserial \
>         -out certs/client.crt
>
> Ideally, I would like to have a valid cert for 60 secs. Is possible to do?

It looks like this should be possible if you use the openssl ca app
instead of the x509 app.  I think this requires a config file.  man
openssl-ca has the gory details including some examples.  I don't
think they have any end date examples, but the enddate field uses the
format YYYYMMDDHHMMSSZ . It also supports -days.  Looking at the
source for the x509 app days is an integer, and all the calls to
set_cert_times just pass the days value and not explicit end dates.

The x509 app does have an option to preserve start/end dates so if you
can generate an unsigned certificate and use that mode to modify it,
then that might also work.

There is also a shell utility called faketime that intercepts
date/time calls.  From what I can tell the x509 app keeps the current
time when it sets the end date (ie if it is 1PM today and you pass
-days 1, then you end up with a cert that expires at 1PM tomorrow).
That means you could run it with a fake time 1 day in the past less 1
minute, and pass -days 1, and end up with something that expires a
minute from now.  The start date would be 1 day in the past though,
which means that maybe it could be used for time-travel shenanigans.

I think the ca app would be the cleanest approach if you're willing to
deal with its syntax and config files.

-- 
Rich

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] expiring certificates quickly
  - From: brent timothy saner via plug <plug@lists.phillylinux.org>

References:
- [PLUG] expiring certificates quickly
  - From: Rita via plug <plug@lists.phillylinux.org>

Prev by Date: [PLUG] expiring certificates quickly
Next by Date: Re: [PLUG] expiring certificates quickly
Previous by thread: [PLUG] expiring certificates quickly
Next by thread: Re: [PLUG] expiring certificates quickly
Index(es):
- Date
- Thread