d2i_X509_CINF:asn1 length mismatch
Hi, I am trying to use Openssl 0.9.4 with my application and trying to load a CA certificate ".pem". It gaves me a error. am trying to add a trusted list of CA's , for that reading the certificate from a file and storing it... but got this error. Error reading cert from \My Documents\servercert.pem:3257351134:error:0D0A203E:asn1 encoding routines:d2i_X509_CINF:asn1 length mismatch:..asn1\x_cinf.c:165: 3257351134:error:0D09F03A:asn1 encoding routines:d2i_X509:nested asnRaiseException: Thread=8328bb8c Proc=80298fa0 AKY=0011 PC=03f6c3c4(coredll.dll+0x0001e3c4) RA=80012978( NK.EXE+0x00012978) BVA=0001 FSR=0001 Please help. Thanks, Sanal.
RE: newbie: set cert time validity
thanks a lot for your lenghty explanation, David Schwartz. I really appreciate it for you to help me explain all this. I noted you said that what I did might be sensible if three things are the case: 1) The locale you are using the certificate has no daylight savings time. 2) The certificate isn't going anywhere, it's only going to be used in one place. 3) The certificate expires in the near future, so a risk of a change in daylight savings time rules is low. For the no (1), i'm not really sure about this daylight savings time.. I reside in Malaysia (next to singapore and thailand) and I'm not sure whether my country has any daylight savings time or not. For no(2), currently the issued certificates is only used in our office. I don't know the daylight savings time rules in your area, but if you have daylight savings time, then some of your certificates will expire an hour off from when you intended. I'm pretty sure you do have a daylight savings time and certificates issued that expire during daylight savings time will not actually expire at midnight but will be one hour off. if ((x = MakeCertificate(req,sconf,nconf,NULL,ca,ca_pkey, pinfo.begin_validity, pinfo.validity,pinfo.serial,pinfo.algo,0)) == NULL) { ret = ERROR_MAKECERT; goto end3; } X509_gmtime_adj(X509_get_notBefore(x),0); //added on 16/7/2007 X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*pinfo.validity); //added on 16/7/2007 X509_gmtime_roundup(X509_get_notAfter(x)); //added on 16/7/2007 This is wrong, you cannot modify the certificate after it is signed. You have to modify the 'MakeCertificate' function. As you may see above, I added the X509_gmtime_adj and X509_gmtime_roundup after the call to makeCertificate. The generated certificate will have the desired expiry date, but the cert itself would be corrupted. It will have this message displayed in the cert - "The integrity of this certificate cannot be guaranteed. THe certificate may be corrupted or may have been altered." I guess this happens because I added the line X509_gmtime_ after the cert has been created, right? But I don't know anyway else where I should put it. Inside the 'MakeCertificate' function. And for the MakeCertificate function which was called above, all I could find was this code: X509 *MakeCertificate(X509_REQ *preq,char **sconf,int nconf,EVP_PKEY *self_key, char* cacert_file,EVP_PKEY *ca_key,int pbegin,int pdays, long pserial,int palgo,int ca_type) which was located in Global.h file. It doesn't seem any where I can put the X509_gmtime_roundup line Where is the code to the 'MakeCertificate' function? That where you'll have to do it. DS
Re: newbie: set cert time validity
thanks a lot for your lenghty explanation, David Schwartz. I really appreciate it for you to help me explain all this. I noted you said that what I did might be sensible if three things are the case: 1) The locale you are using the certificate has no daylight savings time. 2) The certificate isn't going anywhere, it's only going to be used in one place. 3) The certificate expires in the near future, so a risk of a change in daylight savings time rules is low. For the no (1), i'm not really sure about this daylight savings time.. I reside in Malaysia (next to singapore and thailand) and I'm not sure whether my country has any daylight savings time or not. For no(2), currently the issued certificates is only used in our office. Anyway to issue certificate, the codes is as below: if (!(returnIssueCertificate=IssueCertificate(cinfo,x509,skey,ca,Type,&HexSerial,sendUserName,sendUserID))) { MessageDlg("Issue certificate is failed",mtError,TMsgDlgButtons()serialNumber,buf1); *HexSerial = (AnsiString)buf1; CVAULT_X509_write(x,x509); MakePKCS12(pass.c_str(),name.c_str(),pkey,x,p12Path.c_str()); s = progpath + "client.key"; WriteKey(pkey,s.c_str()); //s = progpath + "user.crt"; s = progpath + receiveUserID + "-" + receiveUserName + ".crt"; if ((fp = fopen(s.c_str(),"w")) == NULL) { ShowMessage("ERROR: Open cert.crt"); return -3; //to indicate that program unable to open user.crt } fprintf(fp,"%s",x509); fclose(fp); // Write CA certificate if ((xca = ReadCertificate(ca)) == NULL) { ret = ERROR_READ_CACERT; goto end3; } CVAULT_X509_write(xca,cacert); s = progpath + "CA.crt"; if ((fp = fopen(s.c_str(),"w")) == NULL) { ShowMessage("ERROR: Open CA.crt"); return -1; } fprintf(fp,"%s",cacert); fclose(fp); X509_free(xca); ret = 1; //MainForm->tinfo = pinfo; end3: X509_REQ_free(req); end2: EVP_PKEY_free(pkey); end1: for (i=0; i<80; i++) free(sconf[i]); //endfor return ret; } As you may see above, I added the X509_gmtime_adj and X509_gmtime_roundup after the call to makeCertificate. The generated certificate will have the desired expiry date, but the cert itself would be corrupted. It will have this message displayed in the cert - "The integrity of this certificate cannot be guaranteed. THe certificate may be corrupted or may have been altered." I guess this happens because I added the line X509_gmtime_ after the cert has been created, right? But I don't know anyway else where I should put it. And for the MakeCertificate function which was called above, all I could find was this code: X509 *MakeCertificate(X509_REQ *preq,char **sconf,int nconf,EVP_PKEY *self_key, char* cacert_file,EVP_PKEY *ca_key,int pbegin,int pdays, long pserial,int palgo,int ca_type) which was located in Global.h file. It doesn't seem any where I can put the X509_gmtime_roundup line *Please don't take this the wrong way -- but you are modifying security-critical code based on a requirement that seems to make no sense. I've told the management of my company that I don't want to continue debugging this code, but they insist I have to do it because they have no one else to do it... yes, lame reason from them, but I'm in no position to say no. anyway I guess if this software is broken, they're the one who should be blamed.. bcos i've told them I don't want to continue doing this... On 7/16/07, David Schwartz <[EMAIL PROTECTED]> wrote: hold on! thanks a lot I managed to get it to 23:59:59. all i had to do was change the value strcpy(buf+6, "235959Z"); to strcpy(buf+6, "155959Z"); I would not do that. There is no way you can know that 15:59:59 will correspond to 24:59:59 in the future when the certificate expires. You are essentially predicting what the time zone shift will be at some future date. I would strongly urge you to make it expire at midnight UTC/GMT time. I would go further as to say that whatever tool is presenting certificate expiration times to you as '1/8/2007 7:59:59' (which is the way you pasted it) should be dumped and replaced with something sane. This contains no time zone indicator or GMT offset. If you paste it to a mailing list, it is meaningless. If your requirement really is that a certificate expire at midnight for the time zone in which it was issued, assuming the zone offset will be the same at certificate issue time as it was at certificate issue time, then the requirement should be re-examined. For one thing, '155959Z' can't possibly be right for every possible case (unless your locality has no daylight savings time and you get lucky and it never does). You are assuming that 15:59:59 local time will correspond to 24:59:59 UTC time at the time and place the certificate is being used when it expires. This seems like a truly crazy assumption. It might be sensible if three things are the case: 1) The locale
RE: cross platform issues with openssl-fips
> I built OpenSSL with the FIPS module, and after a few issues built it > successfully on Solaris 10 (using Sun cc) and on Windows using MinGW. > Each works fine on its own platform, but if I encrypt on Solaris 10, I > get decryption errors on Windows, and vice versa. > > Any ideas? Did you do a 'make test' on both platforms? Also, are you testing in FIPS mode (setting the OPENSSL_FIPS evironment variable if you're using the command line application)? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
policy and constraints support
Hi, Anybody knows are certificate policies and policy constraints extensions supported and if yes, from which release ? 'supported' here I mean X509_supported_extension() returns '1' . 0.9.8d has policy constraints support but somehow this call still returns '0'. Regards, binlu __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: cross platform issues with openssl-fips
|Thank you for looking at this :) | |= Encrypting on Windows C:\test>\ssl\bin\openssl enc -aes128 -in test.odt -out test98.odt.aes (OpenSSL 0.9.8e 23 Feb 2007) | | C:\test>\ssl\bin\openssl enc -aes128 -in test.odt -out test97.odt.aes (OpenSSL 0.9.7m-fips 23 Feb 2007)| |Cross-decryption on Windows yielded the following SHA1s: C:\test>sha1sum test* db9c6848e59fd6ec8039544ec3383df2c262b0e4 test.odt db9c6848e59fd6ec8039544ec3383df2c262b0e4 test97 db9c6848e59fd6ec8039544ec3383df2c262b0e4 test98| |So all works nicely there. On Solaris it is a different thing: | |decrypting test98.odt.aes using (OpenSSL 0.9.7m-fips 23 Feb 2007) on Solaris 10: /ssl/bin/openssl enc -aes128 -d -in test98.odt.aes -out test98 enter aes-128-cbc decryption password: bad decrypt 27772:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c:509:| |decrypting test97.odt.aes using (OpenSSL 0.9.7m-fips 23 Feb 2007) on Solaris 10: /ssl/bin/openssl enc -aes128 -d -in test97.odt.aes -out test97 enter aes-128-cbc decryption password: bad decrypt 28108:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c:509:| |= Encrypting on Solaris| | [nasa ~]$ /usr/local/ssl/bin/openssl dgst -sha1 test.odt SHA1(test.odt)= db9c6848e59fd6ec8039544ec3383df2c262b0e4| |[nasa ~]$ /usr/local/ssl/bin/openssl enc -aes128 -in test.odt -out test98s.odt.aes enter aes-128-cbc encryption password: Verifying - enter aes-128-cbc encryption password: | |The SHA1 matches. Let’s try to decrypt on Windows: | |0.9.8e: C:\test>\openssl\bin\openssl enc -aes128 -d -in test98s.odt.aes -out test98s enter aes-128-cbc decryption password: bad decrypt 3908:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:.\ crypto\evp\evp_enc.c:461:| |0.9.7m: C:\test>\ssl\bin\openssl enc -aes128 -d -in test98s.odt.aes -out test98s_ enter aes-128-cbc decryption password: bad decrypt 828:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c:509:| |Leonard Elia NASA LaRC | | | | | Thomas J. Hruska wrote: Elia, Leonard F. wrote: Hello All, I built OpenSSL with the FIPS module, and after a few issues built it successfully on Solaris 10 (using Sun cc) and on Windows using MinGW. Each works fine on its own platform, but if I encrypt on Solaris 10, I get decryption errors on Windows, and vice versa. Any ideas? Leonard Elia NASA LaRC Cool. NASA uses OpenSSL. Got some command-lines/source code/error messages we can use to duplicate? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: cross platform issues with openssl-fips
Elia, Leonard F. wrote: Hello All, I built OpenSSL with the FIPS module, and after a few issues built it successfully on Solaris 10 (using Sun cc) and on Windows using MinGW. Each works fine on its own platform, but if I encrypt on Solaris 10, I get decryption errors on Windows, and vice versa. Any ideas? Leonard Elia NASA LaRC Cool. NASA uses OpenSSL. Got some command-lines/source code/error messages we can use to duplicate? -- Thomas Hruska Shining Light Productions Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL. http://www.slproweb.com/ Ask me about discounts on any Shining Light Productions product! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
cross platform issues with openssl-fips
Hello All, I built OpenSSL with the FIPS module, and after a few issues built it successfully on Solaris 10 (using Sun cc) and on Windows using MinGW. Each works fine on its own platform, but if I encrypt on Solaris 10, I get decryption errors on Windows, and vice versa. Any ideas? Leonard Elia NASA LaRC __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
EC
Hi All, I am using elliptic curves. And, I am setting the value of private key filed in EC_KEY structure before calling EC_KEY_generate_key. Every time I am getting different values of the public key. I need a help. In, W=sG. Where, W is the public key S is the private key and G is the base point. Is it possible to have different values for W given the same value of s and G. It seems to be little absurd but I am getting different values. Can anyone clarify my doubt? Thanks is advance Regards, Kiran __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Printing value stored in ASN1_TYPE
I needed to have a routine to convert the data stored in an ASN1_TYPE structure to an ASCII string. After finding that no one on the net seemed to have the answer I went and did some research. This is what I came up with for an answer. If any one sees anything wrong with it I would love to know about it and will make suitable adjustments. I will probably submit the change to the OpenSSL project for hopeful inclusion. Peace, Chuck Wegrzyn #include #include #include #include #include static void error(char *msg) { // print out message... printf(msg); exit(1); } void ASN1_TYPE_print(BIO *bio,ASN1_TYPE *ptr) { // memory bio to collect the output. char objbuf[80]; const char *ln; // Collect the things from the ASN1_TYPE structure switch(ptr->type) { case V_ASN1_BOOLEAN: BIO_puts(bio, ptr->value.boolean ? "true" : "false"); break; case V_ASN1_INTEGER: BIO_puts(bio,i2s_ASN1_INTEGER(NULL,ptr->value.integer)); break; case V_ASN1_ENUMERATED: BIO_puts(bio,i2s_ASN1_INTEGER(NULL,ptr->value.enumerated)); break; case V_ASN1_NULL: BIO_puts(bio,"NULL"); break; case V_ASN1_UTCTIME: ASN1_UTCTIME_print(bio,ptr->value.utctime); break; case V_ASN1_GENERALIZEDTIME: ASN1_GENERALIZEDTIME_print(bio,ptr->value.generalizedtime); break; case V_ASN1_OBJECT: ln = OBJ_nid2ln(OBJ_obj2nid(ptr->value.object)); if( !ln ) ln = ""; OBJ_obj2txt(objbuf,sizeof(objbuf),ptr->value.object,1); BIO_puts(bio,objbuf); break; default : ASN1_STRING_print_ex(bio, ptr->value.visiblestring, ASN1_STRFLGS_DUMP_UNKNOWN|ASN1_STRFLGS_SHOW_TYPE); break; } }
RE: newbie: set cert time validity
hold on! thanks a lot I managed to get it to 23:59:59. all i had to do was change the value strcpy(buf+6, "235959Z"); to strcpy(buf+6, "155959Z"); I would not do that. There is no way you can know that 15:59:59 will correspond to 24:59:59 in the future when the certificate expires. You are essentially predicting what the time zone shift will be at some future date. I would strongly urge you to make it expire at midnight UTC/GMT time. I would go further as to say that whatever tool is presenting certificate expiration times to you as '1/8/2007 7:59:59' (which is the way you pasted it) should be dumped and replaced with something sane. This contains no time zone indicator or GMT offset. If you paste it to a mailing list, it is meaningless. If your requirement really is that a certificate expire at midnight for the time zone in which it was issued, assuming the zone offset will be the same at certificate issue time as it was at certificate issue time, then the requirement should be re-examined. For one thing, '155959Z' can't possibly be right for every possible case (unless your locality has no daylight savings time and you get lucky and it never does). You are assuming that 15:59:59 local time will correspond to 24:59:59 UTC time at the time and place the certificate is being used when it expires. This seems like a truly crazy assumption. It might be sensible if three things are the case: 1) The locale you are using the certificate has no daylight savings time. 2) The certificate isn't going anywhere, it's only going to be used in one place. 3) The certificate expires in the near future, so a risk of a change in daylight savings time rules is low. Otherwise, this is broken. erm... but there's still one problem. where in IssueCertificate should I add the line X509_gmtime_roundup(X509_get_notAfter(x)); ? because currently the line is only added in renewCertificate... as I can't see where in IssueCertificate can I add those lines.. thanks again You didn't paste the code to IssueCertificate. You should be able to find where it sets the expiration time and modify it just like the others. If not, why are you monkeying in security-critical code? Please don't take this the wrong way -- but you are modifying security-critical code based on a requirement that seems to make no sense. DS
Re: newbie: set cert time validity
erm... but there's still one problem. where in IssueCertificate should I add the line X509_gmtime_roundup(X509_get_notAfter(x)); ? because currently the line is only added in renewCertificate... as I can't see where in IssueCertificate can I add those lines.. thanks again On 7/16/07, David Schwartz <[EMAIL PROTECTED]> wrote: I added the X509_gmtime_roundup(X509_get_notAfter(x)); at my renewCertificate function. When I renewed the cert valid to for example, to 31/7/2007, the cert valid to will be strangely changed to '1/8/2007 7:59:59". May I know which part should I alter here? There is nothing to change, as it is doing exactly what you wanted. The certificate now expires at the end of the day. 1/8/2007 7:59:59 is probably the last second of the day. You are probably looking at the time translated into the time where you happen to be, rather than looking at the UTC/GMT time. Are you asking that the time be set to the last second of the day in the timezone your computer happens to be in? That's essentially impossible because times can be changed at the whim of governments. There is no practical way to know what will be the last second of 1/8/2020 in San Francisco. (Because things like daylight savings time can change.) DS
Re: newbie: set cert time validity
hold on! thanks a lot I managed to get it to 23:59:59. all i had to do was change the value strcpy(buf+6, "235959Z"); to strcpy(buf+6, "155959Z"); thanks again, David Schwartz! You're a great help!! On 7/16/07, David Schwartz <[EMAIL PROTECTED]> wrote: I added the X509_gmtime_roundup(X509_get_notAfter(x)); at my renewCertificate function. When I renewed the cert valid to for example, to 31/7/2007, the cert valid to will be strangely changed to '1/8/2007 7:59:59". May I know which part should I alter here? There is nothing to change, as it is doing exactly what you wanted. The certificate now expires at the end of the day. 1/8/2007 7:59:59 is probably the last second of the day. You are probably looking at the time translated into the time where you happen to be, rather than looking at the UTC/GMT time. Are you asking that the time be set to the last second of the day in the timezone your computer happens to be in? That's essentially impossible because times can be changed at the whim of governments. There is no practical way to know what will be the last second of 1/8/2020 in San Francisco. (Because things like daylight savings time can change.) DS
Re: newbie: set cert time validity
I see... does this mean I can't make it to expire at 23:59:59 for the particular day? This is the UTC/GMT time for which area...? hmm.. actly i'm still confused... anyway it's ok then if I can't make it that way. Is there any way I can convince my boss that (besides sending him a copy of this email conversation) it's practically impossible to do what he asked me to do (make the cert expire at 23:59:59 at a choosen date)? He bugged me to do this since last week, although I've told him many times that I can't do it. Thanks a lot. And again, really thanks a lot for your help, David Schwartz. On 7/16/07, David Schwartz <[EMAIL PROTECTED]> wrote: I added the X509_gmtime_roundup(X509_get_notAfter(x)); at my renewCertificate function. When I renewed the cert valid to for example, to 31/7/2007, the cert valid to will be strangely changed to '1/8/2007 7:59:59". May I know which part should I alter here? There is nothing to change, as it is doing exactly what you wanted. The certificate now expires at the end of the day. 1/8/2007 7:59:59 is probably the last second of the day. You are probably looking at the time translated into the time where you happen to be, rather than looking at the UTC/GMT time. Are you asking that the time be set to the last second of the day in the timezone your computer happens to be in? That's essentially impossible because times can be changed at the whim of governments. There is no practical way to know what will be the last second of 1/8/2020 in San Francisco. (Because things like daylight savings time can change.) DS
RE: newbie: set cert time validity
I added the X509_gmtime_roundup(X509_get_notAfter(x)); at my renewCertificate function. When I renewed the cert valid to for example, to 31/7/2007, the cert valid to will be strangely changed to '1/8/2007 7:59:59". May I know which part should I alter here? There is nothing to change, as it is doing exactly what you wanted. The certificate now expires at the end of the day. 1/8/2007 7:59:59 is probably the last second of the day. You are probably looking at the time translated into the time where you happen to be, rather than looking at the UTC/GMT time. Are you asking that the time be set to the last second of the day in the timezone your computer happens to be in? That's essentially impossible because times can be changed at the whim of governments. There is no practical way to know what will be the last second of 1/8/2020 in San Francisco. (Because things like daylight savings time can change.) DS
Re: newbie: set cert time validity
Thanks a lot for your help, David Schwartz! I haven't got it correctly yet, but with your help I could see I'm moving somewhere here. I added the X509_gmtime_roundup(X509_get_notAfter(x)); at my renewCertificate function. When I renewed the cert valid to for example, to 31/7/2007, the cert valid to will be strangely changed to '1/8/2007 7:59:59". May I know which part should I alter here? Btw I have to add the function void X509_gmtime_roundup(ASN1_UTCTIME *s) { /* Rounds an ASN1_UTCTIME up to the end of the current day */ char buf[32]; strcpy(buf, (const char *) ASN1_STRING_data(s)); strcpy(buf+6, "235959Z"); ASN1_UTCTIME_set_string(s, buf); } to the top of my code, if not, it will return an 'Call to undefined function 'X509_gmtime_roundup'' error. Thanks again. On 7/16/07, David Schwartz <[EMAIL PROTECTED]> wrote: This function rounds an ASN1_UTCTIME up to the end of the day it belongs to. You need to call this function on an ASN1_UTCTIME before you set it as the 'not valid after' date: void X509_gmtime_roundup(ASN1_UTCTIME *s) { /* Rounds an ASN1_UTCTIME up to the end of the current day */ char buf[32]; strcpy(buf, (const char *) ASN1_STRING_data(s)); strcpy(buf+6, "235959Z"); ASN1_UTCTIME_set_string(s, buf); } Here's where I think that goes in your code: int RenewCertificate(X509 *old_x509,X509 ** new_x509,EVP_PKEY* pkey, int validity) { X509 *x = NULL; x=old_x509; char buf[512]; X509_gmtime_adj(X509_get_notBefore(x),0); X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*validity); Here, the 'not valid after' time was just advanced. You need to round it, so add: X509_gmtime_roundup(X509_get_notAfter(x)); ... ... } and void GenCRL(X509 *x509, EVP_PKEY *pkey, TStringList *ListRev, TStringList *ListSer, int SumList) { ... X509_gmtime_adj(ci->lastUpdate,0); if (ci->nextUpdate == NULL) ci->nextUpdate=ASN1_UTCTIME_new(); X509_gmtime_adj(ci->nextUpdate,(crldays*24+crlhours)*60*60); If you want to round the CRL time, up, use this line next: X509_gmtime_roundup(ci->nextUpdate); ... } void GenCRL(X509 *x509, EVP_PKEY *pkey, TStringList *ListRev, TStringList *ListSer, int SumList) { if (ci->nextUpdate == NULL) ci->nextUpdate=ASN1_UTCTIME_new(); X509_gmtime_adj(ci->nextUpdate,(crldays*24+crlhours)*60*60); This also sets the 'nextUpdate' time. If you want to round that to the end of the day, add: X509_gmtime_roudup(ci->nextUpdate); } it seems here all the function that you mentioned are not called to generate the cert. I'm totally lost on what i should do now...? Be sure to test this code before relying on it! DS
RE: newbie: set cert time validity
This function rounds an ASN1_UTCTIME up to the end of the day it belongs to. You need to call this function on an ASN1_UTCTIME before you set it as the 'not valid after' date: void X509_gmtime_roundup(ASN1_UTCTIME *s) { /* Rounds an ASN1_UTCTIME up to the end of the current day */ char buf[32]; strcpy(buf, (const char *) ASN1_STRING_data(s)); strcpy(buf+6, "235959Z"); ASN1_UTCTIME_set_string(s, buf); } Here's where I think that goes in your code: int RenewCertificate(X509 *old_x509,X509 ** new_x509,EVP_PKEY* pkey, int validity) { X509 *x = NULL; x=old_x509; char buf[512]; X509_gmtime_adj(X509_get_notBefore(x),0); X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*validity); Here, the 'not valid after' time was just advanced. You need to round it, so add: X509_gmtime_roundup(X509_get_notAfter(x)); ... ... } and void GenCRL(X509 *x509, EVP_PKEY *pkey, TStringList *ListRev, TStringList *ListSer, int SumList) { ... X509_gmtime_adj(ci->lastUpdate,0); if (ci->nextUpdate == NULL) ci->nextUpdate=ASN1_UTCTIME_new(); X509_gmtime_adj(ci->nextUpdate,(crldays*24+crlhours)*60*60); If you want to round the CRL time, up, use this line next: X509_gmtime_roundup(ci->nextUpdate); ... } void GenCRL(X509 *x509, EVP_PKEY *pkey, TStringList *ListRev, TStringList *ListSer, int SumList) { if (ci->nextUpdate == NULL) ci->nextUpdate=ASN1_UTCTIME_new(); X509_gmtime_adj(ci->nextUpdate,(crldays*24+crlhours)*60*60); This also sets the 'nextUpdate' time. If you want to round that to the end of the day, add: X509_gmtime_roudup(ci->nextUpdate); } it seems here all the function that you mentioned are not called to generate the cert. I'm totally lost on what i should do now...? Be sure to test this code before relying on it! DS