how to generate new root CA with given start/end dates

[lesinigo]

I'd like to generate a new root CA with a not_before date of my choice.

My basic, working setup is:

{
  "CN": "My root CA",
  "key": {
    "algo": "ecdsa",
    "size": 384
  },
  "ca": {
    "expiry": "87600h",
    "pathlen": 1
  },
  "names": [{
    "C":  "my country",
    "ST": "my state",
    "L":  "my location",
    "O":  "my org",
    "OU": "my unit"
  }]
}

...and I generate the CA with:

cfssl gencert -initca root_ca.json | cfssljson -bare root_ca

I have tried adding a config.json like this:

{
  "signing": {
    "default": {
      "not_before": "2018-07-01T00:00:00Z",
      "not_after": "2019-07-01T00:00:00Z"
    }
  }
}

or trying the same inside a signing / default block, or similar things.

How could I explicitly set Not Before and Not After (or a Not Before and an expire time) on a Root CA?

I'm not a Go coder but looking at func Update() in initca/initca.go I fear that it is hardcoded to the system's clock...

[chrisgavin]

It's not the exact interface you asked for, but you can use the backdate option with the existing expiry option you've already set to override the time the certificate is valid from.