AW: OpenVPNGui 2.4.7 fails: format error in certificate's notAfter field

Jan Just Keijser janjust at
Mon Mar 4 13:16:20 UTC 2019

On 04/03/19 10:21, Wolfgang Knauf wrote:
> Hi,
> the output is this:
> C:\Program Files\OpenVPN\bin>openssl.exe asn1parse -i -in ..\config\SSL_HUG1 at\
> Error: offset too large
> Would it be OK if I send the crt file to only your mail adress? I don't feel save by posting it to the mailing list ;-)?
I ran into the "offset too large" problem myself with my own certs as 
well. It turns out the 'asn1parse' util only likes PEM blobs, i.e. the 
parts starting with --BEGIN CERTIFICATE--

You can use
   openssl x509 -in -out | openssl 
to work around this.
For your certificates this results in

     0:d=0  hl=4 l= 942 cons: SEQUENCE
     4:d=1  hl=4 l= 791 cons: SEQUENCE
     8:d=2  hl=2 l=   3 cons: cont [ 0 ]
    10:d=3  hl=2 l=   1 prim: INTEGER           :02
    13:d=2  hl=2 l=   9 prim: INTEGER           :C604316CD0321FA1
    24:d=2  hl=2 l=  13 cons: SEQUENCE
    26:d=3  hl=2 l=   9 prim: OBJECT :sha256WithRSAEncryption
    37:d=3  hl=2 l=   0 prim: NULL
   155:d=2  hl=2 l=  30 cons: SEQUENCE
   157:d=3  hl=2 l=  13 prim: UTCTIME           :160418140054Z
   172:d=3  hl=2 l=  13 prim: UTCTIME           :370308132808Z
   187:d=2  hl=2 l=  88 cons: SEQUENCE
   189:d=3  hl=2 l=  11 cons: SET
   191:d=4  hl=2 l=   9 cons: SEQUENCE
   193:d=5  hl=2 l=   3 prim: OBJECT            :countryName
   198:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :de

In other words, the dates look OK to me.
Also, I've thrown my own verification code against the certificate and 
everything checks out OK.
I'll see if I can reproduce the issue in my own OpenVPN setup.


JJK / Jan Just Keijser

More information about the openssl-users mailing list