If you're getting pronounced jitter on your client machines, I'd suggest two things:
1) install ntp clients on them, and 2) create your client certificates with a notBefore date of (now - 10m). The concept of 'time' is that there is One True Time. The problem is that the One True Time is difficult to trust your client machines to have. (This is the same problem that Kerberos has, by the way.) -Kyle H On Wed, Sep 10, 2008 at 4:03 AM, Silviu VLASCEANU <[EMAIL PROTECTED]> wrote: > Hello, > > Sorry for the delay, I had some problem with... "delays" :). > I have carefully read all of the suggestions from Kyle and Patrick. However, > the serial issue was the most flagrant, definitely and I have immediately > defined one. Concerning the other suggestions (KU, EKU, AKI), I agree with > them but the project that I work on is not specifically concerned; the > purpose is only to test a network protocol. > > However, I managed to solve the problem which was not at all related to > openSSL, not even to programming at all. > I was verifying the endhost certificate immediately after it was generated > on-the-fly on the issuer machine. The problem was that the clocks of the two > machines have pronounced jitters (+/- 10 s/ week) so my certificate was > getting verified before its validity date began, thus the "not yet valid" > error. > > Thanks again for all your help, I really added it to my PKC knowledge. > > -- > Silviu > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
