Is it possible to generate CSR with long validity using Keytool

Question

Is it possible to generate CSR with long validity using keytool?

When I generated CSR using the keytool command, I am always getting the validity only for 3 months.

Please let me know is there any way to generate CSR with longer validity.

Valid from: Thu Feb 13 17:34:07 EST 2014 until: Wed May 14 18:34:07 EDT 2014

Command used to generate Keystore is:

keytool -genkey -alias prodserver -keyalg RSA -keysize 2048 -keystore prodservermykeystore
keytool -certreq -keyalg RSA -alias prodserver -file prodservercertreq.csr -keystore prodservermykeystore

Answer 1

There are two types of certificates, self-signed and CA-signed.

The first command you have given generates a self-signed certificate. You can change the validity by specifying the -validity option to keytool. Depending on your need (internal testing, intranet app, ...) you may be able to stop here.

If you need to have a trusted CA generate a certificate then you will need to generate a CSR as in your second command to send to them. But a CSR does not have any way to specify the desired validity period, you need to communicate this separately to your CA when you send the CSR.

When the CA sends back your certificate you then import it into your keystore with the -importcert command to overwrite the previous prodserver entry.