[openssl-users] Not Before and Not After Date format for openssl API X509_gmtime_adj

Jakob Bohm jb-openssl at wisemo.com
Tue Jul 14 18:35:31 UTC 2015

On 13/07/2015 12:22, Victor Wagner wrote:
> On Mon, 13 Jul 2015 12:25:40 +0530
> Nayna Jain <naynjain at in.ibm.com> wrote:
>> Hi all,
>> I am programmatically generating the self signed certificate and need
>> to specify the "Not Before" and "Not After" date,
>> Wanted to understand what all formats are acceptable by this API ?
> X509_set_notAfter and X509_set_notBefore API expect ASN1_TIME structure.
> You can use ASN1_TIME_set function to fill this structure. It expects
> integer time_t value.
> X509_cmp_time also expects integer time_t value.
> So integer number of seconds since the beginning of the epoch (1.1.1970
> GMT) is everything you need.
> There is also ASN1_TINE_set_string function, which does deal with some
> datetime format, but I suggest never use it. Use C runtime library
> function strptime, which allows to specify format explicitely or mktime
> to prepare time_t value from the user input. And use OpenSSL
> ASN1_TIME_print function to convert ASN1_TIME to human-readble form.
Does ASN1_TIME_set_string() support dates outside the
time_t range of the local libc?

This is important when creating root certs with expiry
dates after 2038 (specifically, any time >= epoch+2**31).
It is also important when creating self-signed Android
apk signing certificates (which /must/ be valid for at
least 30 years).


Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list