On Mon, Oct 10, 2011, Felix Brack (Mailinglist) wrote: > Hello, > > My PKI is currently running on a 32 bit machine with Open SSL > version 0.9.8 suffering from the Y2038 bug. Another 64 bit machine > does not show that bug. > > What I need for now is a CA certificate for signing which should > have a validity that extends beyond 2038, say 2050. I can create > such a certificate on the 64 bit machine, no problem. If I use this > certificate on the 32 bit machine to sign certificates created on > the 32 bit machine, will this work, i.e. will the Y2038 bug not show > up as long as the certificate I am signing expires before the > critical date? Or: will Open SSL on the 32 bit machine deal > correctly with the signing certificate that expires 2050, even > though it can't create such a certificate? >
Yes all versions of OpenSSL should correctly verify any date in a certificate. If you use OpenSSL 1.0.0 or later you shoudln't see the 2038 issue on any platform because OpenSSL uses its own internal date routines to bypass the limitations of system routines. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
