Not according to the PKIX RFC 5280 CAs conforming to this profile MUST always encode certificate validity dates through the year 2049 as UTCTime; certificate validity dates in 2050 or later MUST be encoded as GeneralizedTime. Conforming applications MUST be able to process validity dates that are encoded in either UTCTime or GeneralizedTime.
Of course, you may not need IETF PKIX compliant certificates. Apparently you can create them with openssl, but you can't display them. What you probably want is a way to input data in any timezone and have it always made pkix-conformant in the certificate. That's an open item, part of larger work on times, offsets, durations, etc. To be addressed in a future release. -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz
