cfssl icon indicating copy to clipboard operation
cfssl copied to clipboard
verified publisher icon cloudflare

how to extend the term of CA validity?

Open Wang-Kai opened this issue 3 years ago • 1 comments

I generated my self-signed CA by cfssl gencert -initca, but the default term of validity is 5 years. How can I modify it to 10 years ? I don’t want to recreate a new CA, because it has signed a lot of sub CAs.

Anyone can help me ? Thanks so much .

Wang-Kai avatar Dec 07 '22 09:12 Wang-Kai

@Wang-Kai When generating certificate using e.g.

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-conf.json -profile server ...

you can pass ca-conf.json with something like this

{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "server": {
        "expiry": "87600h",
        "usages": [
          "signing",
          "key encipherment",
          "server auth",
          "client auth"
        ]
      },
      "client": {
        "expiry": "87600h",
        "usages": [
          "signing",
          "key encipherment",
          "client auth"
        ]
      },
      "peer": {
        "expiry": "87600h",
        "usages": [
          "signing",
          "key encipherment",
          "server auth",
          "client auth"
        ]
      }
    }
  }
}

deric avatar Dec 14 '22 16:12 deric