How to generate openssl certificate with expiry less than one day?

Try gossl that allows specifying cert validity start date and duration in various time units.

I developed it to overcome limitations of command line openssl. The tool is lightweight, implemented in Go, without dependencies, under MIT license.

The -startdate and -enddate options for the x509 command are display options. You can set specific start and end time using the ca command instead to sign the certificate.

Try something like this:

openssl ca -config /etc/openssl.cnf -policy policy_anything -out clientcert.pem -startdate 120815080000Z -enddate 120815090000Z -cert ca.pem -keyfile cakey.pem -infiles clientcert.csr

Step-1. Install faketime

sudo apt-get install faketime

Step-2. Generate expired certificate a day before currentdate.

faketime 'last friday 5 pm' /bin/bash -c 'openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 6 -nodes'

Step-3 Verify the certificate validity date

openssl x509 -noout -text -in cert.pem

Or here is another way that I have found to work

Say I want my certificate to expire in 10 mins as a test

The current date is feb 17th
The current time is 4:40pm

First I set my system date to -1 day: Feb 16th
I set my system clock to +10 mins: 4:50pm

I create my cert using openssl x509 to expire in 1 day which really means expire on today Feb 17th

openssl x509 -req -days 1 -in clientcert.csr -signkey cert.key -out ssl.crt

I then reset my system clock and time to the actual date and time and voila you have a certificate that is going to expire in 10 mins!

Obviously not the real way to do things but nice and easy for creating self signed certificates for dev use.