[openssl-users] Doubt regarding O-SSL and setting the duration of certificates
Robert Moskowitz
rgm at htt-consult.com
Wed Sep 13 17:20:38 UTC 2017
On 09/13/2017 09:39 AM, Salz, Rich via openssl-users wrote:
> An X509v3 certificate has “notBefore” and “notAfter” fields. If either of those is not present, then it is not an X509v3 certificate. The time marked by those fields is the validity period.
>
> If you want “never expires” X509v3 certificates, the best you can do it put a very large value in the notAfter field. Some software may have issues around 32bit representation of classic Unix time_t and therefore have problems with times greater than 2038; OpenSSL does not have those problems.
>
> The OpenSSL command-line tools do not handle every possible corner case, including the ability to reasonably set dates that more than 7,500 years in the future. You will have to modify the source.
It handles notAfter past 2038 (25*365 days from today):
openssl req -config $dir/openssl-root.cnf\
-set_serial 0x$(openssl rand -hex $sn)\
-keyform $format -outform $format\
-key $dir/private/ca.key.$format -subj "$DN"\
-new -x509 -days 9125 -sha256 -extensions v3_ca\
-out $dir/certs/ca.cert.$format
openssl x509 -inform $format -in $dir/certs/ca.cert.$format\
-text -noout
...
Validity
Not Before: Sep 13 17:09:50 2017 GMT
Not After : Sep 7 17:09:50 2042 GMT
...
I create 802.1AR cert with:
default_enddate = 99991231235959Z # per IEEE 802.1AR
in the config:
...
Validity
Not Before: Sep 7 04:43:27 2017 GMT
Not After : Dec 31 23:59:59 9999 GMT
...
So it seems you can create things like signing certs with enddates out
beyond 2038 and you can create EE certs with 'end of time' enddates.
The rest is up to the software that uses these certs...
Bob
More information about the openssl-users
mailing list