Reply
New Member
Posts: 10
Registered: ‎05-18-2016
Accepted Solution

OpenVPN certificate expiration date

Hi,

 

I use EdgeRouter X. When I create certificates and sign them with these commands:

./CA.sh -newreq
./CA.sh -sign

 The default expiration days are 365.

How can I change that value to 3650 for example?

 

Thanks!


Accepted Solutions
Highlighted
Regular Member
Posts: 694
Registered: ‎01-26-2015
Kudos: 179
Solutions: 63

Re: OpenVPN certificate expiration date

[ Edited ]

Set the environment variable "$DAYS" before executing the script. Without it, the script uses 365 days as default.

 

export DAYS=3650
./CA.sh ...

 

*edit

The variable won't survive a reboot so you might have to execute the export command again. Check "echo $DAYS" to see if it is set correctly.

View solution in original post


All Replies
Highlighted
Regular Member
Posts: 694
Registered: ‎01-26-2015
Kudos: 179
Solutions: 63

Re: OpenVPN certificate expiration date

[ Edited ]

Set the environment variable "$DAYS" before executing the script. Without it, the script uses 365 days as default.

 

export DAYS=3650
./CA.sh ...

 

*edit

The variable won't survive a reboot so you might have to execute the export command again. Check "echo $DAYS" to see if it is set correctly.

New Member
Posts: 10
Registered: ‎05-18-2016

Re: OpenVPN certificate expiration date

Great! Thanks!

 

Is there any option to view all variables, so I can see what else can be changed?

Regular Member
Posts: 694
Registered: ‎01-26-2015
Kudos: 179
Solutions: 63

Re: OpenVPN certificate expiration date

[ Edited ]

What variables do you mean? The environment variables are system wide variables used by dozens of scripts. You can list them by typing "printenv". The HOME and the PATH variables are probably the most used of them all.

 

If you'd like to see how you can make additional changes to the created certificates, please read the openssl documentation. Then you can modify the CA.sh script (backup!) or even write your own script.

 

In case you want to use these certificates for OpenVPN or similar purposes, I recommend reading that documentation as well because they might use specific certificate properties like nsCertType=Server for example. These properties are usually controlled by the openssl.cnf or by their own environment variables.

Emerging Member
Posts: 54
Registered: ‎04-07-2011
Kudos: 15

Re: OpenVPN certificate expiration date

[ Edited ]

Makuckn wrote:

Set the environment variable "$DAYS" before executing the script. Without it, the script uses 365 days as default.

 

export DAYS=3650
./CA.sh ...

 

*edit

The variable won't survive a reboot so you might have to execute the export command again. Check "echo $DAYS" to see if it is set correctly.


 

This doesn't work anymore in 1.9.1.1

It says 3650 is an unknown option.

Tried setting $DAYS to "-days 3650" as well, no more errors but the validity is still 365 days ...

Tried setting it in CA.SH as well but the number of days was also ignored.

Regular Member
Posts: 694
Registered: ‎01-26-2015
Kudos: 179
Solutions: 63

Re: OpenVPN certificate expiration date

Well, I don't use EdgeOS for certification creation, I use my ubuntu server instead. I'm not sure if this is a limitation of EdgeOS or if it's due to a newer OpenSSL version. You could try to download OpenSSL for a linux box or maybe even on windows and create your certs that way.

New Member
Posts: 1
Registered: ‎05-12-2015
Kudos: 1

Re: OpenVPN certificate expiration date

It looks like openssl has maybe moved the "days" flag to the sign command instead of the req command.

If you do:

export SSLEAY_CONFIG="-days 3650"

then 

./CA.sh -sign

it should work like you want it to.

Emerging Member
Posts: 54
Registered: ‎04-07-2011
Kudos: 15

Re: OpenVPN certificate expiration date

[ Edited ]
export SSLEAY_CONFIG="-days 3650"

./CA.sh -sign

Works indeed! Thanks for the info Hurray

Reply