certificate validity

Shobhit_Khanna Tue, 24 Apr 2001 02:45:34 -0700



I'm using openssl 09.5.a

For making a new CA, I specify validity of 1000 days and I also want my certs to
be valid , by default (i.e. if no end date is specified), to be valid for as
long as the CA.
For this I specified the following in openssl.cnf

default_days   = 1000         # how long to certify for

But by doing this the certs become valid for 1000 days from the system date. Now
 if I configure my CA today (valid till 1000 days from  now) and then sign a
cert tommorow (for 1000 days),
its end date is one day more than the end date of my CA. Thus all the certs I
sign are invalid. When I click a .der, it shown invalid and a msg is
displayed..."The validity period of this certificate exceeds
that of its certification authority."

Even if put default_days = 365, my certs shall begin to go invalid one year
before my CA expires!! ??

Is there any way to ensure that my certs are valid for as long as my CA is ??

What setting do I need to make??

Thanx in advance

Shobhit

-------------------------------------------------------------------------------------
"This  email message and files transmitted with it are confidential, proprietary
and legally privileged. If the message that is received is an error, or if there
is  any  mistransmission,  the  originator  must  be notified immediately as the
unauthorized  use,  dissemination, publication, transfer or any other use of the
message  by  unauthorized person is strictly forbidden by law and prohibited. If
anybody  commits  violation then he would be legally liable and punishable under
the  relevant  law.  The  intended  recipient  can  be  rest  assured  that  the
confidentiality and privilege is not waived or lost by any such mistransmission.

Internet  communications  are  not secure unless it is protected by using strong
cryptography.  TCS  does not accept any responsibility whatsoever for changes in
the nature of modifications, additions, deletions made to the message once it is
sent.

TCS  reserves  the  right  to  monitor  all  e-mail  communications  through its
network."
-------------------------------------------------------------------------------------

Tata Consultancy Services
www.tcs.com



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
certificate validity

Reply via email to
