On Mon, Sep 12, 2016 at 11:40:44AM -0700, Philip Guenther wrote: > That value is acceptable...when encoded as required. > [...] > The notAfter time is before 2050, so it MUST be encoded as a UTCTIME, > but it isn't. You need to fix your CA software to generate > RFC-compliant certificates when signing them. >
Thank you for the prompt and informative reply! Looking through my build notes (I've learned to keep notes for things like this), I found that I originally created the CA cert with this command: openssl ca -selfsign -config root-ca.conf -in CA/root-ca.csr -out CA/r\ oot-ca.crt -extensions root_ca_ext -enddate 20351231235959Z As a test, I generated a new root cert with the same process, replacing -enddate 20351231235959Z with -enddate 351231235959Z The resulting cert, and a server cert that I signed with it, both validate properly on my OpenBSD server. I guess I'll now need to re-create all my certs, but at least they'll be RFC-compliant. Thanks again, George Lane Atlanta, US [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]