[openssl-dev] [openssl.org #4096] apps/req.c: support start_days_before option for x509
jeremy.compostella@intel.com via RT
rt at openssl.org
Fri Oct 16 15:22:49 UTC 2015
Hi,
I'm using the openssl command to generate test certificates and I'm
running into an annoying "not valid yet" certificate issue. I cannot
set the notbefore field using the openssl command.
I've made a patch (see attachment) that add the support of a
"-start-days-before' option which is symmetric to the "-days" option.
Patch commit message:
"Sometimes the generated X509 certificate notbefore date must be in the
past. For instance, if this certificate is going to be included in a
device that might get its clock reset to its default time value, the
included certificate notbefore field must match (or be prior) its
default date value which might be in the past.
This patch adds the support of a -start-days-before option which is
symmetric to the -days option. "
I'm not sure this is the best approach but having a -notbefore option
taking a date string would require date parsing support which is not
easy across platforms. I think that this totally symmetric to "-days"
option is simple enough and should cover most of the use case.
What do you think ?
Cheers,
Jérémy
--
One Emacs to rule them all
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-apps-req.c-support-start_days_before-option-for-x509.patch
Type: text/x-diff
Size: 2861 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151016/1a7f9b17/attachment.patch>
-------------- next part --------------
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
More information about the openssl-dev
mailing list