Hi, As per article available at : http://technet2.microsoft.com/windowsserver/en/library/a4331df0-273b-41a3-95f5-8425d39543c71033.mspx?mfr=true
"The publish period of a CRL is established by the CA administrator. However, the validity period of the CRL is extended from the publish period to allow for Active Directory replication. By default, Certificate Services extends the publish period by 10% (up to a maximum of 12 hrs) to establish the validity period. So, for example, if a CA is publishing a CRL every 24 hours, the validity period is set to 26.4 hours." Our application is a CA simulator. It publishes CRL for the certificates it has signed. -gencrl option is used to generate the CRL every 1 hour. But gencrl has option does not have a option to provide a grace extension of validity period. If -crlhours is set to '1' and CRL is published at T0, the validity interval extend from T0 to T0+1. But I need to have the validity form (T0-10min + 1), 1 hour 10 min. The client which tries to fetch the CRLs form the database in which our CA simulator stores CRL, at times complains that the CRL start time is ahead of its time, due to clock skew. Any ideas, how we can have the extensions in the validity period. Thanks, Prabhu. S ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]