創建有效期超過一年的 OpenVPN 證書

此命令會生成僅 365 天有效的證書，無論我將值更改為 100 還是 3650，結果都是相同的。1年。如何生成有效期為 10 年的證書？

# openssl req -new -keyout newkey.pem -out newreq.pem -days 3650
Generating a 2048 bit RSA private key
...........................................................+++
.........................+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:State
Locality Name (eg, city) []:City
Organization Name (eg, company) [Internet Widgits PTY Ltd]:company
Organizational Unit Name (eg, section) []:section
Common Name (eg, server FQDN or YOUR name) []:server
Email Address []:mail@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# ./CA.sh -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
       Serial Number:
           cb:32:13:1d:e2:40:2f:e4
       Validity
           Not Before: May 11 17:58:32 2021 GMT
           Not After : May 11 17:58:32 2022 GMT
       Subject:
           countryName               = AU
           stateOrProvinceName       = State
           localityName              = City
           organizationName          = company
           organizationalUnitName    = section
           commonName                = server
           emailAddress              = mail@example.com
       X509v3 extensions:
           X509v3 Basic Constraints:
               CA:FALSE
           Netscape Comment:
               OpenSSL Generated Certificate
           X509v3 Subject Key Identifier:
               E7:8A:D9:91:7C:81:BF:C0:CE:D9:43:D7:C8:D8:03:1C:60:85:D0:35
           X509v3 Authority Key Identifier:
               keyid:CF:76:53:4A:FB:01:EC:DE:CE:40:C1:F2:F0:F6:6E:12:57:24:8F:45

Certificate is to be certified until May 11 17:58:32 2022 GMT (365 days)
Sign the certificate? [y/n]:

由於某些奇異的世界原因，您必須更改default_daysin openssl.cnf，否則它會覆蓋-days命令行選項。

即編輯openssl.conf，使其具有：

default_days = 3650

這似乎直覺且明顯是錯誤的，並且與軟體預設值和命令行選項應該如何互動（確實如此）的合理預期相反，但這就是它的工作方式。

引用自：https://unix.stackexchange.com/questions/649268