Generate an "expired" SSL certificate with keytool

You can use below openssl commands to generate expired certificates, which mimics the official process to sign certificates.

Note: Only tested on Linux.

Assume yourself as a CA

#Create CA key, which means you are now the CA using root.key and root.cer to sign certificates
openssl genrsa 4096 > root.key
#Create CA certificate expired ten years later
openssl req -new -x509 -key root.key -out root.cer -days 3650

Now, you are the one applying a signed certificate from CA

#Generates your own private key 
openssl genrsa 4096 > server.key
#Build a Certificate Signing Request
openssl req -new -key server.key -out server.csr

Now you are the CA again

#sign the certificate and make the certificate expired 1 day ago. Pay attention to the negative -days argument( not working on MacOS )
openssl x509 -req -in server.csr -CA root.cer -CAkey root.key -CAcreateserial -out server.cer -days -1

Then you can check the dates

openssl x509 -noout -text -in server.cer

Validity Not Before: Mar 7 09:11:13 2019 GMT Not After : Mar 6 09:11:13 2019 GMT

You can generate expired certificate using keytool command by using the following parameters.

-startdate

-validity

while validity parameter takes only number of days as input, startdate parameter can be used to mention since when validity begins. The format for input to startdate parameter [yyyy/mm/dd][HH:MM:SS]

Refer to this link for details http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html