I have my own PKI running on a Debian 8 server (that I set up using this tutorial: http://pki-tutorial.readthedocs.io/en/latest/index.html).
Certificate creation and signing has worked fine on all my Linux- and Windows- based servers and clients, but when I try to use the certs on OpenBSD 6.0 (httpd, openvpn) nothing works. I'm not sure if it's a problem with the certs themselves, a compatibility problem between OpenSSL and LibreSSL, or something else. Running a verify on either a server cert (whose key and CSR were generated on OpenBSD, and cert signed on the Debian server) produces an error about the notAfter field: $ openssl verify -CAfile root-ca.crt server.crt server.crt: C = US, ST = Georgia, L = Atlanta, O = George Lane, CN = Ge orge Lane Certificate Authority error 14 at 1 depth lookup:format error in certificate's notAfter field $ openssl verify -CAfile root-ca.crt root-ca.crt root-ca.crt: C = US, ST = Georgia, L = Atlanta, O = George Lane, CN = G eorge Lane Certificate Authority error 14 at 0 depth lookup:format error in certificate's notAfter field The man page informs me that error 14 indicates "The certificate notAfter field contains an invalid time." I'm unable to reproduce this on my other servers, though. Here are the same commands run against the same certs on the Debian server: $ openssl verify -CAfile root-ca.crt server.crt server.crt: OK $ openssl verify -CAfile root-ca.crt root-ca.crt root-ca.crt: OK Even opening the cert on the cert management console on Windows 7 displays no apparent errors. The root cert has an expiration date of Dec 31 23:59:59 2035 GMT. Is there some reasons that this would not be an acceptable value? If it helps, feel free to download a copy of my root cert here: http://crt.thinkingguy.com/thinkingguy.com.crt George Lane Atlanta, US [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
