Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

maximum validate days for a certificate

22,606 views
Skip to first unread message

Jian Chen

unread,
Oct 9, 2001, 7:54:22 PM10/9/01
to
Hi, All,

When using openssl req -x509 ...,

Can anyone tell me what is the maximum days you can specify for a
certificate to be valid? I initially used 100 years, i.e., 36500 days, but,
that gave me an exit (exit code 2).

Thanks,

Jian
Oct. 9

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Edward Jiang

unread,
Oct 9, 2001, 8:41:24 PM10/9/01
to
This is a multi-part message in MIME format.
--------------2106130200D0C53A77167494
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Intersting, I can use openssl req -x509 to generate a self-sign cert with 36500
as the -days parameter, but I got following Validity:

Not Before: Oct 10 00:20:37 2001 GMT
Not After : Aug 9 17:52:21 1965 GMT

Seems like this is a bug.

Jian Chen wrote:

--------------2106130200D0C53A77167494
Content-Type: text/x-vcard; charset=us-ascii;
name="edward.jiang.vcf"
Content-Description: Card for Edward Jiang
Content-Disposition: attachment;
filename="edward.jiang.vcf"
Content-Transfer-Encoding: 7bit

begin:vcard
n:Jiang;Edward Xin
x-mozilla-html:FALSE
adr:;;;;;;
version:2.1
email;internet:xin....@oracle.com
fn:Edward Xin Jiang
end:vcard

--------------2106130200D0C53A77167494--

Jian Chen

unread,
Oct 9, 2001, 9:09:19 PM10/9/01
to
Hi,

Right, I also got this, and it seems once it reaches a threshold, it will go
back to sometime in the past.

Jian

Dr S N Henson

unread,
Oct 9, 2001, 9:44:51 PM10/9/01
to
Edward Jiang wrote:
>
> Intersting, I can use openssl req -x509 to generate a self-sign cert with 36500
> as the -days parameter, but I got following Validity:
>
> Not Before: Oct 10 00:20:37 2001 GMT
> Not After : Aug 9 17:52:21 1965 GMT
>
> Seems like this is a bug.
>

OpenSSL makes use of a systems time libraries which can normally only
represent a limited range of times and may misbehave.

The only real way to fix this would be for OpenSSL to implement its own
time functions which can properly represent the full range of times
needed (which is the year 0000 to 9999 for a GeneralizedTime structure).

Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: she...@drh-consultancy.demon.co.uk
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: d...@celocom.com PGP key: via homepage.

Richard Levitte - VMS Whacker

unread,
Oct 10, 2001, 2:12:15 AM10/10/01
to
From: "Jian Chen" <jche...@avaya.com>

The explanation is that we get an overflow. The function used to set
the NotAfter time is X509_gmtime_adj(). The adjustment offset
(seconds) is represented with a long, which in a 32-bit world can have
the values -2147483648 to 2147483647.

Now, if we take 36500 days and convert them to seconds, we get
3153600000 (60 * 60 * 24 * 36500), which is way over 2147483647. What
happens is a wraparound, and the end result becomes -1141367296, which
is 13210 days (36 years and a couple of months), 6 hours, 28 minutes
and 15 seconds back in time, which corresponds quite well to the
result you got.

I say that from a technological point of view, you got what you asked
for :-).

To be on the safe side, I'd avoid going for more than 24855 days on a
32-bit system (come one, try 24855 and 24856 and you'll probably see
the difference. No, I didn't try it).

We probably should write a little warning in the docs about this.

jchen777> Right, I also got this, and it seems once it reaches a threshold, it will go
jchen777> back to sometime in the past.
jchen777>
jchen777> Jian
jchen777>
jchen777>
jchen777> -----Original Message-----
jchen777> From: owner-ope...@openssl.org
jchen777> [mailto:owner-ope...@openssl.org]On Behalf Of Edward Jiang
jchen777> Sent: Tuesday, October 09, 2001 6:27 PM
jchen777> To: openss...@openssl.org
jchen777> Subject: Re: maximum validate days for a certificate
jchen777>
jchen777>
jchen777> Intersting, I can use openssl req -x509 to generate a self-sign cert with
jchen777> 36500
jchen777> as the -days parameter, but I got following Validity:
jchen777>
jchen777> Not Before: Oct 10 00:20:37 2001 GMT
jchen777> Not After : Aug 9 17:52:21 1965 GMT
jchen777>
jchen777> Seems like this is a bug.
jchen777>
jchen777> Jian Chen wrote:
jchen777>
jchen777> > Hi, All,
jchen777> >
jchen777> > When using openssl req -x509 ...,
jchen777> >
jchen777> > Can anyone tell me what is the maximum days you can specify for a
jchen777> > certificate to be valid? I initially used 100 years, i.e., 36500 days,
jchen777> but,
jchen777> > that gave me an exit (exit code 2).
jchen777> >
jchen777> > Thanks,
jchen777> >
jchen777> > Jian
jchen777> > Oct. 9
jchen777> >
jchen777> > ______________________________________________________________________
jchen777> > OpenSSL Project http://www.openssl.org
jchen777> > User Support Mailing List openss...@openssl.org
jchen777> > Automated List Manager majo...@openssl.org
jchen777>
jchen777> ______________________________________________________________________
jchen777> OpenSSL Project http://www.openssl.org
jchen777> User Support Mailing List openss...@openssl.org
jchen777> Automated List Manager majo...@openssl.org

0 new messages