hold on! thanks a lot I managed to get it to 23:59:59. all i had to do was change the value strcpy(buf+6, "235959Z"); to strcpy(buf+6, "155959Z");
I would not do that. There is no way you can know that 15:59:59 will correspond to 24:59:59 in the future when the certificate expires. You are essentially predicting what the time zone shift will be at some future date. I would strongly urge you to make it expire at midnight UTC/GMT time. I would go further as to say that whatever tool is presenting certificate expiration times to you as '1/8/2007 7:59:59' (which is the way you pasted it) should be dumped and replaced with something sane. This contains no time zone indicator or GMT offset. If you paste it to a mailing list, it is meaningless. If your requirement really is that a certificate expire at midnight for the time zone in which it was issued, assuming the zone offset will be the same at certificate issue time as it was at certificate issue time, then the requirement should be re-examined. For one thing, '155959Z' can't possibly be right for every possible case (unless your locality has no daylight savings time and you get lucky and it never does). You are assuming that 15:59:59 local time will correspond to 24:59:59 UTC time at the time and place the certificate is being used when it expires. This seems like a truly crazy assumption. It might be sensible if three things are the case: 1) The locale you are using the certificate has no daylight savings time. 2) The certificate isn't going anywhere, it's only going to be used in one place. 3) The certificate expires in the near future, so a risk of a change in daylight savings time rules is low. Otherwise, this is broken. erm... but there's still one problem. where in IssueCertificate should I add the line X509_gmtime_roundup(X509_get_notAfter(x)); ? because currently the line is only added in renewCertificate... as I can't see where in IssueCertificate can I add those lines.. thanks again You didn't paste the code to IssueCertificate. You should be able to find where it sets the expiration time and modify it just like the others. If not, why are you monkeying in security-critical code? Please don't take this the wrong way -- but you are modifying security-critical code based on a requirement that seems to make no sense. DS
