12

I am creating my keystore with following command:

keytool -genkey -keystore myStore.keystore -keyalg RSA -keysize 1024 -alias myAlias

How could I generate one with a past expiry date (the use of this? I want to test the behavior of my app with an expired certificate).

ptpdlc
  • 2,373
  • 6
  • 22
  • 33
  • 1
    Just change date on your computer and then create certificate with validity of 1 day. I use TinyCA. – grep Jan 30 '14 at 07:36

3 Answers3

13

You can generate expired certificate using keytool command by using the following parameters.

-startdate

-validity

while validity parameter takes only number of days as input, startdate parameter can be used to mention since when validity begins. The format for input to startdate parameter [yyyy/mm/dd][HH:MM:SS]

Refer to this link for details http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html

shyam0191
  • 162
  • 1
  • 8
8

You can use below openssl commands to generate expired certificates, which mimics the official process to sign certificates.

Note: Only tested on Linux.

Assume yourself as a CA

#Create CA key, which means you are now the CA using root.key and root.cer to sign certificates
openssl genrsa 4096 > root.key
#Create CA certificate expired ten years later
openssl req -new -x509 -key root.key -out root.cer -days 3650

Now, you are the one applying a signed certificate from CA

#Generates your own private key 
openssl genrsa 4096 > server.key
#Build a Certificate Signing Request
openssl req -new -key server.key -out server.csr

Now you are the CA again

#sign the certificate and make the certificate expired 1 day ago. Pay attention to the negative -days argument( not working on MacOS )
openssl x509 -req -in server.csr -CA root.cer -CAkey root.key -CAcreateserial -out server.cer -days -1

Then you can check the dates

openssl x509 -noout -text -in server.cer

Validity Not Before: Mar 7 09:11:13 2019 GMT Not After : Mar 6 09:11:13 2019 GMT

Popeye
  • 2,002
  • 20
  • 14
5

Using the java keytool, the minimum validity for a keystore certificate can be 1 day.

EDIT: looks like there's an option for -startdate as @shyam0191 has answered.

So, you can't(correction: you can actually) generate a certificate with a past date. I suggest using the following command, which will generate a certificate with a 1-day validity and the next day you will be able to test with it:

keytool -selfcert -alias Test -genkey -keystore myStore.keystore -keyalg RSA -validity 1

or use @shyam0191's answer which will have the same end result in the end (but sooner).

bazyle
  • 756
  • 6
  • 13
  • The idea from @grep works exactly as needed. Just change the date of your computer to a past date and then create the certificate. It works on Windows 7, I just did it. – Joe W Nov 11 '14 at 22:27
  • 1
    use the -startdate and you can generate certs that are expired. -startdate -2d -validity 1 –  Oct 17 '16 at 15:43
  • You're right @fhanik. Probably I wasn't aware of that option at the time I answered. Either way, it can have the same end result. – bazyle Jun 23 '18 at 23:13