A short guide on how to make openssl believe it is in the past.
I know there is Let's Encrypt, so why fiddling around with self-signed certificates? In the early stage of development LE has a small drawback: To issue a certificate you need a running domain. But if you are writing some http client or want to test https connections without a domain, Let's Encrypt is not an option.
But what to do if you need a self-signed certificate from the past? Changing your system clock in the past may create severe problems because of logs have now false timestamps or systemd is hammering on timedatectl to update your systems clock to the actual datetime.
For this faketime is a handy small tool to do this. This is how it works:
faketime '2015-01-01' openssl req -x509 -newkey rsa:4096 -sha256 -days 23725 \
-nodes -keyout example.com.key -out example.com.crt -subj "/CN=example.com"
Faketime changes through magic the system clock only for the following command, so the certificates begin date is set to '2014-12-31' (yes, the timezone given is GMT+2 and the certificate takes it as UTC).