No wonder I couldn't find the MakeCertificate function, it's actually resides in an external library. I 'll try to do anything I could to make sure it works as needed..
However, thank you very much for your help David Schwartz.. if you were in java.sun.com forum I'd surely have given you at least 7 duke dollars. Thanks again It's a kludge, but you could modify the certificate and then fix the signature, if you have direct access to the key that signs them. The key appears to be passed to 'RenewCertificate' and 'GenCRL'. After you adjust the time, just add this (untested): X509_gmtime_adj(X509_get_notBefore(x),0); //added on 16/7/2007 X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*pinfo.validity); X509_gmtime_roundup(X509_get_notAfter(x)); X509_sign(x, key ,EVP_sha1()); I think the 'key' should be the same thing you pass as 'pkey' to RenewCertificate. (I'm assuming 'RenewCertificate' or the CRL code use the same private key as you use to sign certificates. Double-check that too!) I've never tried signing a certificate that has already been signed. I hope it will digest and sign the correct part of the certificate and replace the old signature with a new one. But I've never tried it and can't easily test it right now. DS
