Am 23.12.2012 14:12, schrieb John Kristoff via RT: > I've came across X.509 certificates that appear to have an expiration > dates of Februrary 29 in a year that is not a leap year when examined > with OpenSSL. > > I'll include an example certificate below found in the wild. If you > save it to a text file named cert.pem and run: > > openssl x509 -text -in cert.pem > > It should show you all gory details including this nugget: > > Not After : Feb 29 18:35:01 2022 GMT > > which would be curious, because there is no February 29 in calendar year > 2022. I'm not familiar with the openssl code so I'm not sure how this > should be addressed since the cert was issued this way. > > Should OpenSSL mitigate it as most browsers I tested with appear to do > by interpreting the notAfter date as March 1 instead?
John, I guess the answer ist quite clear, the certificate maintenance (aka validity) expires at least on Feb 28 24:00:00 as this is the last valid date. You should not care about the non-existent date, look at the valid dates only. BTW the same situation appears with Nov 31 or a non-existent leap second. Regards, Ann. P.S. The funny story with that cert is that it is a CA cert without cert/CRL signing key usage... ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
