On Wed, Jun 19, 2013 at 1:34 PM, Dave Thompson <dthomp...@prinpay.com> wrote: >>From: owner-openssl-us...@openssl.org On Behalf Of Bob Bell (rtbell) >>Sent: Wednesday, 19 June, 2013 15:01 > >>I have a situation where I need to determine the validity of a certificate >>in all other aspects even though it has expired. In other words, the >>signatures are all valid and the contents untampered, but the "notAfter" >>date is less than current date. If I run the certificate verify process > > What about revocation? CA's aren't required to maintain and provide > revocation status for certs that have expired. But see below. > >>against that certificate, will it tell me if there are higher severity > errors >>(e.g. issuer signature invalid) rather than checking the validity period >>and finding the problem? I guess another way of asking the question is >>If I get the error "10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has > expired" >>does that imply that everything else is OK? > > UTSL but even if so I see no guarantee it won't change in future. > > What you can do is verify using a specific past time instead of now: > commandline verify -attime or X509_VERIFY_PARAM_SET_TIME . > > But the CRL logic is pretty complicated and I'm not certain > if it will find just the CRL(s) for the past time without help > -- but I'm sure it could do so only if you already have them, > since you won't be able to request them from the CA.
This is not a rare pattern - e.g., validation of a signature after the signer's cert has expired. The problem is that, without exhaustive CRL access, it's impossible to know if the certificate is not revoked for some reason that would invalidate the signature (loss or compromise of private key, etc.). - M ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
