You have two chances to create certificates in the past. Either faking the time, or defining the time interval when signing the certificate.
1) Firstly, about faking the time: to make one program think it is in a different date from the system, have a look at
To install it in Debian:
sudo apt-get install faketime
You would then use
faketime before the
For examples of use:
$faketime 'last friday 5 pm' /bin/date
Fri Apr 14 17:00:00 WEST 2017
$faketime '2008-12-24 08:15:42' /bin/date
Wed Dec 24 08:15:42 WET 2008
The given command will be tricked into believing that the
system time is the one specified in the timestamp. The wall clock will
continue to run from this date and time unless specified otherwise (see
advanced options). Actually, faketime is a simple wrapper for
libfaketime, which uses the LD_PRELOAD mechanism to load a small
library which intercepts system calls to functions such as time(2) and
So for instance, in your case, you can very well define a date of 2008, and create then a certificate with the validity of 2 years up to 2010.
faketime '2008-12-24 08:15:42' openssl ...
As a side note, this utility can be used in several Unix versions, including MacOS, as an wrapper to any kind of programs (not exclusive to the command line).
As a clarification, only the binaries loaded with this method (and their children) have their time changed, and the fake time does not affect the current time of the rest of the system.
As @Wyzard states, you also have the
datefudge package which is very similar in use to
datefudge does not influence
fstat (i.e. does not change file time creation). It also has it´s own library, datefudge.so, that it loads using LD_PRELOAD.
It also has a
static time where the time referenced is always returned despite how many extra seconds have passed.
$ datefudge --static "2007-04-01 10:23" sh -c "sleep 3; date -R"
Sun, 01 Apr 2007 10:23:00 +0100
2) Besides faking the time, and even more simply, you can also define the starting point and ending point of validity of the certificate when signing the certificate in OpenSSL.
The misconception of the question you link to in your question, is that time is not defined at request time (at the CSR request). When using
openssl ca to create the self-signed certificate, add the options
-enddate in the format YYMMDDHHMMSSZ ; as in, creating a certificate from the 1st of January 2008 to the 1st of January of 2010:
openssl ca -config /path/to/myca.conf -in req.csr -out ourdomain.pem \
-startdate 0801010000Z -enddate 1001010000Z
P.S. As for chosen answer of the question you reference from StackExchange: it is generally a bad idea to change the system time, specially in production systems; and also with both these two methods in this answer you do not need root privileges when using them.