>From: owner-openssl-us...@openssl.org On Behalf Of Bob Bell (rtbell) >Sent: Wednesday, 19 June, 2013 15:01
>I have a situation where I need to determine the validity of a certificate >in all other aspects even though it has expired. In other words, the >signatures are all valid and the contents untampered, but the "notAfter" >date is less than current date. If I run the certificate verify process What about revocation? CA's aren't required to maintain and provide revocation status for certs that have expired. But see below. >against that certificate, will it tell me if there are higher severity errors >(e.g. issuer signature invalid) rather than checking the validity period >and finding the problem? I guess another way of asking the question is >If I get the error "10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired" >does that imply that everything else is OK? UTSL but even if so I see no guarantee it won't change in future. What you can do is verify using a specific past time instead of now: commandline verify -attime or X509_VERIFY_PARAM_SET_TIME . But the CRL logic is pretty complicated and I'm not certain if it will find just the CRL(s) for the past time without help -- but I'm sure it could do so only if you already have them, since you won't be able to request them from the CA. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
