On Sun, Feb 22, 2009, Oliver Martin wrote: > Am Sat, 21 Feb 2009 00:07:28 +0100 schrieb Oliver Martin: > > > On a somewhat related note, is it possible to use GeneralizedTime > > instead of UTCTime for notBefore and notAfter with OpenSSL, as > > explained here [3]? My ultimate goal is a certificate that remains > > valid when 32-bit time_t rolls over in 2038, so I need a notBefore > > somewhere in 1901. > > For this part, however, I've only found a horribly hackish workaround: > 1) set system time to one second before wraparound > 2) sleep 1 > 3) sign a pre-existing CSR with no explicit startdate > > Is there any easier way to use GeneralizedTime other than writing my > own program using the OpenSSL API to do it? >
OpenSSL will only use GenerlizedTime in accordance with the standards: i.e. for years after 2049. However if you set -days to a large enough value you are at the mercy of the system time routines in versions of OpenSSL before 0.9.9-dev if they wrap around you'll get an invalid date. Using a system with a 64 bit time_t will avoid that. OpenSSL 0.9.9 performs some of its own date calculations and so is immune to such problems, you can set a -days value which wil set years right up to the GeneralizedTime year limit of 9999. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
