[openssl-users] Not Before and Not After Date format for openssl API X509_gmtime_adj

Victor Wagner vitus at wagner.pp.ru
Mon Jul 13 10:22:13 UTC 2015

On Mon, 13 Jul 2015 12:25:40 +0530
Nayna Jain <naynjain at in.ibm.com> wrote:

> Hi all,
> I am programmatically generating the self signed certificate and need
> to specify the "Not Before" and "Not After" date,
> Wanted to understand what all formats are acceptable by this API ?

X509_set_notAfter and X509_set_notBefore API expect ASN1_TIME structure.
You can use ASN1_TIME_set function to fill this structure. It expects
integer time_t value.

X509_cmp_time also expects integer time_t value.

So integer number of seconds since the beginning of the epoch (1.1.1970
GMT) is everything you need.

There is also ASN1_TINE_set_string function, which does deal with some
datetime format, but I suggest never use it. Use C runtime library
function strptime, which allows to specify format explicitely or mktime
to prepare time_t value from the user input. And use OpenSSL
ASN1_TIME_print function to convert ASN1_TIME to human-readble form.

> Also,  similarly while using API , what exactly is the time format
> expected by X509_cmp_time(X509_get_notAfter(iv_pX509), .......);
> Thanks & Regards,
> Nayna Jain

More information about the openssl-users mailing list