Hello
On requesting a certificate which should expire 2050, openxpki creates a
certificate with a "not after" of 1950.
OpenXPKI 3.30.3 (same with 3.28.4)
Certificate requested by EST
Validity definition in profile:
validity:
notafter: +25
openxpki WebUI presents this:
* Correct "not after" date (2050-01-09 ....) in
* Certificate query result list
* Certificate details page
* Wrong "not after" date (1950-01-09 ...) in
* "Display certificate on screen (Text + PEM)" from certificate details
page
The 1950 expiration is shown as well on checking the certificates content with
openssl 3.0.13 cli or windows-10 UI. Using such a 1950-certificate to authorize
another EST-request results in rejection of the SSL/TLS-connection because of
certification expiration.
This was no issue until end of last year (2024+25=2049). If I change now the
validity definition in the profile to e.g. "+24" the result is correct again
(2049).
The CA is even longer valid and there is no issue with that certificate, but
the CA has not been created with openxpki.
It seems that this has something todo with the PKI-specification. I've found
[1] which mentiones in short this:
1. RFC5280 (about PKI) states this:
1. Dates up to 2049 should be specified in UTCTime
2. Dates beginning in the year 2050 should be specified as GeneralizedTime
3. All client consumers of the certificate should be able to evaluate both
UTCTime and GeneralizedTime.
1. UTCTime is defined as YYMMDDHHMMSS (two-digit year), 50 (and above) being
interpreted as 1950. GeneralizedTime uses then for-digit year.
Assuming that a current openssl version is a correct behaving consumer,
something must be wrong at creation of the certificate. Is this an openxpki bug
or maybe something in a library used by openxpki?
Kind regards,
Stefan
[1] https://www.redhat.com/en/blog/certificate-y2k20-bug
The information transmitted is only for the person or entity to which it is
addressed and may contain confidential and legally privileged material. If you
received this in error, please contact the sender. Any review, retransmission,
dissemination or other use of, this information by persons or entities other
than the intended recipient is prohibited. You have asked us to correspond with
you by email. However, the written version of our document signed by us is the
only authoritative version. Note that email correspondence can be lost or
falsified, with or without any interference by third persons. Conventional
emails are not protected against access by third persons and their
confidentiality and integrity may not be assured. Moreover, despite our use of
antivirus software, a virus may enter your systems in connection with the
sending of emails. Thus, we are not liable for any damages resulting out of
these circumstances.
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
