On Thu, Jul 17, 2014 at 12:56:40AM -0400, Daniel Kahn Gillmor wrote: > > You've declared "-days" to take only positive numbers, it should > > allow negative numbers. > > why? Or at least: why accept these generally unacceptable options by > default? I can understand wanting to be able to create perverse > certificates to test validation stacks, but i don't think that the > command line tool used by many people to create certs should be willing > to create known bad certs without explicitly overriding a warning or > something.
Command-line tools on unix systems do what they're told. The resulting certificate is well-formed, and never valid. However in some applications expiration checks are irrelevant (fingerprint checks and the like), and a deliberately pre-expired certificate may be a reasonable choice. Higher-level tools can check the "days" argument before invoking the openssl apps layer. It should not be necessary to write C code to generate well-formed if corner-case certificates. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org