Here is the output: C:\Program Files\OpenVPN\bin>openssl.exe verify -trusted ..\config\ssl_h...@l1139218.vt-security.de\l1139218.vt-security.de.ca.crt ..\config\ssl_h...@l1139218.vt-security.de\l1139218.vt-security.de.user.crt ..\config\ssl_h...@l1139218.vt-security.de\l1139218.vt-security.de.user.crt: OK
But it seems I don't have the root certificate, just the CA certificate? I will send both certificate files in another mail. Wolfgang -----Ursprüngliche Nachricht----- Von: openssl-users <openssl-users-boun...@openssl.org> Im Auftrag von Jan Just Keijser Gesendet: Montag, 4. März 2019 10:36 An: Richard Levitte <levi...@openssl.org>; openssl-users@openssl.org Betreff: Re: OpenVPNGui 2.4.7 fails: format error in certificate's notAfter field Hi Richard, On 04/03/19 10:27, Richard Levitte wrote: > On Mon, 04 Mar 2019 10:06:54 +0100, > Jan Just Keijser wrote: > ... >> Having said that, I just created a certificate set to expire on Mar 9 >> 2037 and it passed the following command: >> c:\program files\openvpn\bin\openssl x509 -dates -subject -noout >> -in mycert.crt >> >> can you run the same command on the failing certificate? > That's a poor test. 'openssl x509' doesn't verify the certificate, > and the error comes up during verification. To verify, use 'openssl > verify'. Here's an example with OpenSSL test files: > > openssl verify -trusted test/certs/root-cert.pem > test/certs/ca-cert.pem > > So in Wolfgang's case, I suspect something like this would say more: > > openssl verify -trusted .....ca.crt .....user.crt > you were one step ahead of me :) I fully agree that it is a poor test, I was just wondering if there was an encoding error in the cert itself, esp as the EndDate approaches the 32bit epoch... Wolfgang, can you send me both the client cert and the CA cert that goes with it? both are public info. cheers, JJK / Jan Just Keijser
