Make sure the embedded SSL cert doesn't expire

[BillWeiss]

I have this script that runs against my puppet environment and tells me if any certs are going to expire in the next month. It found this cert. As far as I can tell this cert is just self-signed, so I signed a new one with an expiration far in the future.

Diff of their metadata:

$ diff -u <( openssl x509 -in server.crt -noout -text ) <( git checkout master ; openssl x509 -in server.crt -noout -text )
Switched to branch 'master'
--- /dev/fd/11  2015-04-08 12:24:52.000000000 -0500
+++ /dev/fd/12  2015-04-08 12:24:52.000000000 -0500
@@ -1,13 +1,14 @@
+Your branch is up-to-date with 'origin/master'.
 Certificate:
     Data:
         Version: 1 (0x0)
         Serial Number:
-            d1:a1:b9:ce:be:f9:12:b4
+            92:dd:f4:28:b5:5d:74:2f
         Signature Algorithm: sha1WithRSAEncryption
         Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
         Validity
-            Not Before: Apr  8 17:23:55 2015 GMT
-            Not After : Apr  5 17:23:55 2025 GMT
+            Not Before: Apr 23 22:31:23 2014 GMT
+            Not After : Apr 23 22:31:23 2015 GMT
         Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
@@ -24,11 +25,11 @@
                     41:1c:5b:39:cd:ee:c9:ae:d7
                 Exponent: 65537 (0x10001)
     Signature Algorithm: sha1WithRSAEncryption
-        9a:61:5b:fc:59:b1:5b:ae:72:cc:39:cc:a3:13:b1:a3:4a:65:
-        61:eb:c7:c4:37:e0:2a:9e:d6:5a:d5:9e:46:3a:fe:8e:40:83:
-        7d:99:54:a8:37:15:a8:95:bf:fd:c6:69:5d:7c:c4:13:86:02:
-        9c:90:71:ef:07:94:3d:91:ff:76:de:73:10:64:e8:bc:cb:1c:
-        9a:a1:e6:16:ae:48:25:90:51:54:fe:c7:45:eb:2b:85:05:d5:
-        14:0f:ea:d7:98:79:d2:ef:9e:05:2d:31:83:cc:44:a6:95:15:
-        54:09:8b:b0:56:0a:d1:76:6f:8f:fb:0b:b6:fa:56:53:df:1f:
-        39:54
+        36:b8:bb:dd:73:57:1f:fa:7b:7b:77:c2:e6:bb:44:9d:6a:82:
+        2c:0b:38:7a:0e:35:6c:70:2a:45:24:a5:dd:0e:31:93:d9:8b:
+        38:d2:22:9b:2d:19:d8:4e:df:7c:c1:ae:ae:47:31:21:48:a7:
+        f1:fb:35:62:f2:7d:cf:4a:44:07:94:44:7b:8f:32:85:5c:c5:
+        71:f0:d1:2d:db:f3:bf:00:f2:97:56:2c:e6:2c:58:e4:e5:67:
+        13:16:f1:a6:99:b9:2a:5f:e3:63:f5:35:13:b9:24:59:12:61:
+        7b:ef:aa:f9:93:c5:39:00:1b:bf:55:aa:f1:bc:0c:f2:a1:70:
+        21:a8

That diff is effectively reversed, so the - parts are what's being added :) The only change is in expiration and the actual signature (which has to change, of course). I checked to make sure this file still matches the key with:

$ openssl rsa -in server.key -noout -modulus
Modulus=C914EFB97EB7DBC690E40B9CF0F23EC4D682884D1464D61CB3EC6ADC012447F4E7CF41C65DDC77F8F9C51BB3084524BAE615C05467A7664DF03F8BCD21EF60BBE1BD8ED3854C93A0A0E0549C9FC772CEFD660726CF7700590A6AC30F82669CA78140D29AC6791E811B352FAA688AE89F722B60280FB32D411C5B39CDEEC9AED7
$ openssl x509 -in server.crt -noout -modulus
Modulus=C914EFB97EB7DBC690E40B9CF0F23EC4D682884D1464D61CB3EC6ADC012447F4E7CF41C65DDC77F8F9C51BB3084524BAE615C05467A7664DF03F8BCD21EF60BBE1BD8ED3854C93A0A0E0549C9FC772CEFD660726CF7700590A6AC30F82669CA78140D29AC6791E811B352FAA688AE89F722B60280FB32D411C5B39CDEEC9AED7

(not just visually verified, I did a diff and they're the same)

[hunner]

Hah! Thanks for finding this :)