Hello Stefan,
thanks for reporting, we are already aware of this issue and will
provide updated packages as soon as we have tested the fix.
best regards
Oliver
On 09.01.25 14:19, Strasser Stefan wrote:
Hello
On requesting a certificate which should expire 2050, openxpki creates
a certificate with a “not after” of 1950.
OpenXPKI 3.30.3 (same with 3.28.4)
Certificate requested by EST
Validity definition in profile:
validity:
notafter: +25
openxpki WebUI presents this:
* Correct “not after” date (2050-01-09 ….) in
o Certificate query result list
o Certificate details page
* Wrong “not after” date (1950-01-09 …) in
o “Display certificate on screen (Text + PEM)” from certificate
details page
The 1950 expiration is shown as well on checking the certificates
content with openssl 3.0.13 cli or windows-10 UI. Using such a
1950-certificate to authorize another EST-request results in rejection
of the SSL/TLS-connection because of certification expiration.
This was no issue until end of last year (2024+25=2049). If I change
now the validity definition in the profile to e.g. “+24” the result is
correct again (2049).
The CA is even longer valid and there is no issue with that
certificate, but the CA has not been created with openxpki.
It seems that this has something todo with the PKI-specification. I’ve
found [1] which mentiones in short this:
1. RFC5280 (about PKI) states this:
1. Dates up to 2049 should be specified in UTCTime
2. Dates beginning in the year 2050 should be specified as
GeneralizedTime
3. All client consumers of the certificate should be able to evaluate
both UTCTime and GeneralizedTime.
2. UTCTime is defined as YYMMDDHHMMSS (two-digit year), 50 (and
above) being interpreted as 1950. GeneralizedTime uses then
for-digit year.
Assuming that a current openssl version is a correct behaving
consumer, something must be wrong at creation of the certificate. Is
this an openxpki bug or maybe something in a library used by openxpki?
Kind regards,
Stefan
[1] https://www.redhat.com/en/blog/certificate-y2k20-bug
The information transmitted is only for the person or entity to which
it is addressed and may contain confidential and legally privileged
material. If you received this in error, please contact the sender.
Any review, retransmission, dissemination or other use of, this
information by persons or entities other than the intended recipient
is prohibited. You have asked us to correspond with you by email.
However, the written version of our document signed by us is the only
authoritative version. Note that email correspondence can be lost or
falsified, with or without any interference by third persons.
Conventional emails are not protected against access by third persons
and their confidentiality and integrity may not be assured. Moreover,
despite our use of antivirus software, a virus may enter your systems
in connection with the sending of emails. Thus, we are not liable for
any damages resulting out of these circumstances.
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
