Re: [Users] freeswan-certificate problem

From: sahil <sahil(at)elitecore.com>
Date: Wed Mar 31 2004 - 04:01:54 EST

hi,

But when i gave days=12346,
it gave,

	Validity
            Not Before: Mar 31 08:52:23 2004 GMT
            Not After : Jan 18 08:52:23 2038 GMT

and when i gave days=12347
it gave,

	Validity
            Not Before: Mar 31 08:55:41 2004 GMT
            Not After : Dec 14 02:27:25 2001 GMT

So it is not generating certificates more than 12346 days.

Infact some days ago it accepted days=12354. i don't know why this days are varying????

thanx
regards

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen@strongsec.net] Sent: Wednesday, March 31, 2004 12:22 PM To: sahil
Cc: freeswan user; freeswan list user
Subject: Re: [Users] freeswan-certificate problem

Hi,

you shouldn't generate a certificate with a lifetime of more 45 years since openssl currently codes dates in the ASN.1 UTCTIME format (YY) instead of the Y2K proof GENERALIZEDTIME format (YYYY).

thus the years 1950-1999 are mapped to 50..99 and the years 2000-2049 are mapped to 00..49

Starting with the year 2050 the GENERALIZEDTIME format is used. But besides the Deutsche Telekom nobody is supporting this format in X.509 certificates right now.

Regards

Andreas

sahil wrote:

> hello,
newreq.pem -out
> newreq.pem
>
> --> For certificate signing :
policy_anything -out
> newcert.pem -days 365 -in newreq.pem

---

Andreas Steffen                   e-mail: andreas.steffen@strongsec.com
strongSec GmbH                    home:   
http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64

CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65

==========================================[strong internet security]===

_______________________________________________

FreeS/WAN Users mailing list
users@lists.freeswan.org
https://mj2.freeswan.org/cgi-bin/mj_wwwusr Received on Wed Mar 31 04:16:45 2004