Hi team,
Despite what the man-page for OpenXPKI::DateTime says, it appears that
configuring an absolute date for “notafter” does not work in OpenXPKI.
e.g. I am trying to sign certificates (via SCEP) with a fixed end-date of
15 Nov 2029, but I am seeing the following messages in
/var/log/openxpki/openxpki.log
# in YYYYMMDDHHMMSS format (expect to work, but doesn't)
2021/09/16 15:40:34 ERROR Invalid format given to detect; __VALIDITY__ =>
20291115000000 [pid=51|sid=H3Ds|wftype=certificate_enroll|wfid=28415]
2021/09/16 15:40:47 ERROR Invalid format given to detect; __VALIDITY__ =>
20291115000000 [pid=52|sid=KWJ6|wftype=certificate_enroll|wfid=28415]
2021/09/16 16:03:44 ERROR Invalid format given to detect; __VALIDITY__ =>
20291115000000 [pid=20|sid=H3Ds|wftype=certificate_enroll|wfid=28671]
# with YYYYMMDD format (expect to work, but doesn't)
2021/09/16 16:13:03 ERROR Invalid format given to detect; __VALIDITY__ =>
20291115 [pid=15|sid=n3AW|wftype=certificate_enroll|wfid=28927]
The profile configuration is as follows:
root@1eee052cbfcf:/var/log/openxpki# cat
/etc/openxpki/config.d/realm/temp-01/profile/UDI_v01.yaml
# The name of the file equals the name of the profile
# Validity of certificates, can be in absolute or relative format
# absolute: YYYYMMDD[HH[MM[SS]]]
# relative +YY[MM[DD[HH[MM[SS]]]]] or -YY[MM[DD[HH[MM[SS]]]]]
# see OpenXPKI::DateTime for more details
validity:
# notbefore defaults to now if it is omitted
# absolute date or relative to notbefore
#notbefore: 20120101000000
#notafter: +000007
# set for 00:00 on 15 Nov, 2029
notafter: 20291115000000
#notafter: +080000
style:
00_basic_style:
label: I18N_OP
…
[omitted]
Am I doing something wrong, or is this possibly a bug ?
On a related, but separate question - is there a way to configure the
profile to set the “notafter” date to be the same as the end-date of the
current CA certificate?
Many thanks
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
