[openssl-users] Doubt regarding O-SSL and setting the duration of certificates

Salz, Rich rsalz at akamai.com
Wed Sep 13 13:39:56 UTC 2017


An X509v3 certificate has “notBefore” and “notAfter” fields.  If either of those is not present, then it is not an X509v3 certificate.  The time marked by those fields is the validity period.

If you want “never expires” X509v3 certificates, the best you can do it put a very large value in the notAfter field.  Some software may have issues around 32bit representation of classic Unix time_t and therefore have problems with times greater than 2038; OpenSSL does not have those problems.

The OpenSSL command-line tools do not handle every possible corner case, including the ability to reasonably set dates that more than 7,500 years in the future.  You will have to modify the source.




More information about the openssl-users mailing list