AW: OpenVPNGui 2.4.7 fails: format error in certificate's notAfter field

[Wolfgang Knauf]

Here is the output:

C:\Program Files\OpenVPN\bin>openssl.exe verify -trusted ..\config\SSL_HUG1 at l1139218.vt-security.de\l1139218.vt-security.de.ca.crt ..\config\SSL_HUG1 at l1139218.vt-security.de\l1139218.vt-security.de.user.crt
..\config\SSL_HUG1 at l1139218.vt-security.de\l1139218.vt-security.de.user.crt: OK

But it seems I don't have the root certificate, just the CA certificate?

I will send both certificate files in another mail.

Wolfgang

-----Ursprüngliche Nachricht-----
Von: openssl-users <openssl-users-bounces at openssl.org> Im Auftrag von Jan Just Keijser
Gesendet: Montag, 4. März 2019 10:36
An: Richard Levitte <levitte at openssl.org>; openssl-users at openssl.org
Betreff: Re: OpenVPNGui 2.4.7 fails: format error in certificate's notAfter field

Hi Richard,

On 04/03/19 10:27, Richard Levitte wrote:
> On Mon, 04 Mar 2019 10:06:54 +0100,
> Jan Just Keijser wrote:
> ...
>> Having said that, I just created a certificate set to expire on Mar 9 
>> 2037 and it passed the following command:
>>    c:\program files\openvpn\bin\openssl x509 -dates -subject -noout 
>> -in mycert.crt
>>
>> can you run the same command on the failing certificate?
> That's a poor test.  'openssl x509' doesn't verify the certificate, 
> and the error comes up during verification.  To verify, use 'openssl 
> verify'.  Here's an example with OpenSSL test files:
>
>      openssl verify -trusted test/certs/root-cert.pem 
> test/certs/ca-cert.pem
>
> So in Wolfgang's case, I suspect something like this would say more:
>
>      openssl verify -trusted .....ca.crt .....user.crt
>

you were one step ahead of me :)
I fully agree that it is a poor test, I was just wondering if there was an encoding error in the cert itself, esp as the EndDate approaches the 32bit epoch...

Wolfgang, can you send me both the client cert and the CA cert that goes with it? both are public info.

cheers,

JJK / Jan Just Keijser