[openssl-users] Doubt regarding O-SSL and setting the duration of certificates

Robert Moskowitz rgm at htt-consult.com
Wed Sep 13 17:20:38 UTC 2017

On 09/13/2017 09:39 AM, Salz, Rich via openssl-users wrote:
> An X509v3 certificate has “notBefore” and “notAfter” fields.  If either of those is not present, then it is not an X509v3 certificate.  The time marked by those fields is the validity period.
> If you want “never expires” X509v3 certificates, the best you can do it put a very large value in the notAfter field.  Some software may have issues around 32bit representation of classic Unix time_t and therefore have problems with times greater than 2038; OpenSSL does not have those problems.
> The OpenSSL command-line tools do not handle every possible corner case, including the ability to reasonably set dates that more than 7,500 years in the future.  You will have to modify the source.

It handles notAfter past 2038 (25*365 days from today):

    openssl req -config $dir/openssl-root.cnf\
         -set_serial 0x$(openssl rand -hex $sn)\
         -keyform $format -outform $format\
         -key $dir/private/ca.key.$format -subj "$DN"\
         -new -x509 -days 9125 -sha256 -extensions v3_ca\
         -out $dir/certs/ca.cert.$format

    openssl x509 -inform $format -in $dir/certs/ca.cert.$format\
         -text -noout

             Not Before: Sep 13 17:09:50 2017 GMT
             Not After : Sep  7 17:09:50 2042 GMT

I create 802.1AR cert with:

default_enddate   = 99991231235959Z # per IEEE 802.1AR

in the config:

             Not Before: Sep  7 04:43:27 2017 GMT
             Not After : Dec 31 23:59:59 9999 GMT

So it seems you can create things like signing certs with enddates out 
beyond 2038 and you can create EE certs with 'end of time' enddates.

The rest is up to the software that uses these certs...


More information about the openssl-users mailing list