openssl RSA_verify succeeds after the openssl certificate is expired.

Question

I created a self signed openssl certificate using the below commads.

openssl genrsa -des3 -out server.key 2048
openssl rsa -in server.key -out server.key
openssl req -sha256 -new -key server.key -out server.csr -subj '/CN=localhost'
openssl x509 -req -sha256 -days 10 -in server.csr -signkey server.key -out
cat server.crt server.key > cert.pem

Using the cert.pem and RSA_sign function I created a signature after the certificate expired ( after 10 days )

The RSA_verify of the above signature still succeeds. Can you help me with this?

Best regards, Poornima.M

Pras Pras · Accepted Answer · 2018-03-30T11:09:07

RSA_verify() will verify the signature taking the rsa public key, it does not deal with the public key certificate.

Public key and the key certificate are not the same thing, public key resides in public key certificate. So when you extracted public key from the certificate there only you have to check if its expired or not and avoid using it if its expired

openssl RSA_verify succeeds after the openssl certificate is expired.

1 Answers