Skip to main content

Create self-signed certificate with end-date in the past [Resolved]

I would like to create self-signed certificates on the fly with arbitrary start- and end-dates, including end-dates in the past. I would prefer to use standard tools, e.g., OpenSSL, but anything that gets the job done would be great.

The Stack Overflow question How to generate openssl certificate with expiry less than one day? asks a similar question, but I want my certificate to be self-signed.

In case you were wondering, the certificates are needed for automated testing.

Asked April 15, 2017
Posted Under: Unix Linux
2 Answers

You have two chances to create certificates in the past. Either faking the time, or defining the time interval when signing the certificate.

1) Firstly, about faking the time: to make one program think it is in a different date from the system, have a look at libfaketime and faketime

To install it in Debian:

sudo apt-get install faketime

You would then use faketime before the openssl command.

For examples of use:

$faketime 'last friday 5 pm' /bin/date
Fri Apr 14 17:00:00 WEST 2017
$faketime '2008-12-24 08:15:42' /bin/date
Wed Dec 24 08:15:42 WET 2008

From man faketime:

The given command will be tricked into believing that the current system time is the one specified in the timestamp. The wall clock will continue to run from this date and time unless specified otherwise (see advanced options). Actually, faketime is a simple wrapper for libfaketime, which uses the LD_PRELOAD mechanism to load a small library which intercepts system calls to functions such as time(2) and fstat(2).

So for instance, in your case, you can very well define a date of 2008, and create then a certificate with the validity of 2 years up to 2010.

faketime '2008-12-24 08:15:42' openssl ... 

As a side note, this utility can be used in several Unix versions, including MacOS, as an wrapper to any kind of programs (not exclusive to the command line).

As a clarification, only the binaries loaded with this method (and their children) have their time changed, and the fake time does not affect the current time of the rest of the system.

As @Wyzard states, you also have the datefudge package which is very similar in use to faketime.

As differences, datefudge does not influence fstat (i.e. does not change file time creation). It also has it´s own library,, that it loads using LD_PRELOAD.

It also has a -s static time where the time referenced is always returned despite how many extra seconds have passed.

$ datefudge --static "2007-04-01 10:23" sh -c "sleep 3; date -R"
Sun, 01 Apr 2007 10:23:00 +0100

2) Besides faking the time, and even more simply, you can also define the starting point and ending point of validity of the certificate when signing the certificate in OpenSSL.

The misconception of the question you link to in your question, is that time is not defined at request time (at the CSR request). When using openssl ca to create the self-signed certificate, add the options -startdate and -enddate in the format YYMMDDHHMMSSZ ; as in, creating a certificate from the 1st of January 2008 to the 1st of January of 2010:

openssl ca -config /path/to/myca.conf -in req.csr -out ourdomain.pem \
-startdate 0801010000Z -enddate 1001010000Z

P.S. As for chosen answer of the question you reference from StackExchange: it is generally a bad idea to change the system time, specially in production systems; and also with both these two methods in this answer you do not need root privileges when using them.

Answered April 15, 2017
Both faketime and datefudge work beautifully on my Debian jessie system. – rlandster 3 mins ago
 CanDoerz  2 years ago
@Wyzard Thanks, indeed I found it in Debian; interestingly enough, the manual states that while it also changes system calls to functions such as time(2), it does not influence fstat(2). – Rui F Ribeiro 54 mins ago
 CanDoerz  2 years ago
There's also a similar program called datefudge. – Wyzard 58 mins ago
 CanDoerz  2 years ago
+1. I knew someone would come along with something better than what I wrote :) – Celada 3 hours ago
 CanDoerz  2 years ago

I'm almost surprised to find that the obvious thing works: whereas openssl takes as an argument the number of days for which the certificate should be valid, just supply a negative number!

openssl req -x509 -newkey rsa:4096 \
    -keyout key.pem -out cert.pem -days -365

Note that this actually results in something very strange: a certificate whose expiry timestamp precedes its start-of-validity timestamp. I don't actually recommend that you use this for your automated testing, since it's weird. You probably want a way to back-date the start-of-validity timestamp as well.

Answered April 15, 2017
@FreeSoftwareServers In the CSR you cannot; see the last part of my answer. – Rui F Ribeiro 1 hour ago
 CanDoerz  2 years ago
Can you not specify start date? – FreeSoftwareServers 1 hour ago
 CanDoerz  2 years ago
Well, to be fair, I had no idea you could use negative days. – Rui F Ribeiro 3 hours ago
 CanDoerz  2 years ago
Your Answer