OpenSSL Self-Signed Root CA Certificate: Set Start Date

I'm using the following setup (using OpenSSL 1.0.1 14 Mar 2012) to create a small test CA with my own self signed certificate. My problem is that if I look at the start date of the CA's own certificate, it will create that certificate for tomorrow (and I want to use it today).

> openssl x509 -noout -startdate -enddate -in ~/my_little_ca/cacert.pem 
notBefore=Jan  2 16:05:52 2015 GMT
notAfter=Feb  1 16:05:52 2015 GMT

So I dug into it a bit because I had the same problem with a CA signed certificate. For these certificates, I can use set start date --startdate, but I don't see a similar option for CA root certificates. I have tried using it in the openssl config file used default_startdatewhen generating the CA , but for some reason it seems to be ignored?

I created the CA as follows, basically taken verbatim from Pravir Chandra et al's "Network Security with OpenSSL" as shown below.

The command used is req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -verbose, but what I want to know is how to set the start date in this particular case when generating the root CA certificate and private key? Thank you in advance.

The complete script to generate the CA is as follows:

MYDIR=$(pwd -P)
BASEDIR=~/enigma_ca


mkdir -pv $BASEDIR
cd $BASEDIR

mkdir -pv private
chmod g-rwx,o-rwx private
mkdir -pv certs
touch index.txt
echo '01' > serial

DEFAULT_STARTDATE=$(date +'%y%m01000000Z')

cat <<EOF >openssl.cnf
[ ca ]
default_ca = my_test_ca

[ my_test_ca ]
certificate       = $BASEDIR/cacert.pem
database          = $BASEDIR/index.txt
new_certs_dir     = $BASEDIR/certs
private_key       = $BASEDIR/private/cakey.pem
serial            = $BASEDIR/serial

default_crl_days  = 7
default_days      = 356
default_md        = md5
default_startdate = $DEFAULT_STARTDATE

policy            = my_test_ca_policy
x509_extensions   = certificate_extensions

[ my_test_ca_policy ]
commonName              = supplied
stateOrProvinceName     = supplied
countryName             = supplied
emailAddress            = supplied
organizationName        = supplied
organizationalUnitName  = optional

[ certificate_extensions ]
basicConstraints  = CA:false

[ req ]
default_bits      = 2048
default_keyfile   = $BASEDIR/private/cakey.pem
default_md        = md5
default_startdate = $DEFAULT_STARTDATE
default_days      = 356

prompt              = no
distinguished_name  = root_ca_distinguished_name
x509_extensions     = root_ca_extensions

[ root_ca_distinguished_name ]
commonName           = My Mini CA
stateOrProvinceName  = Hampshire
countryName          = UK
emailAddress         = [email protected]
organizationName     = My Mini CA Ltd

[ root_ca_extensions ]
basicConstraints = CA:true

EOF


OPENSSL_CONF=$BASEDIR/openssl.cnf
export OPENSSL_CONF

# Now generate self-signed certificate and generate key pair to go with it...
expect - <<EOF >> $MYDIR/ca_debug.txt
puts [concat "OPENSSL_CONF =" \$::env(OPENSSL_CONF)]
spawn openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -verbose
expect "PEM pass phrase:"
send "junk\r"
expect "PEM pass phrase:"
send "junk\r"
expect eof
EOF