When playing with "openssl ca" with various validity end dates I could
not manage end dates of 2050 or later - until I started reading code and
the RFC 5280. As far as I understand it now (and is confirmed by various
tests), the openssl parameter "-enddate" expects one of two date/time
formats - depending on whether the date is before 2050 or not. This is far
from obvious, hence I'd like to propose below change to the man page.

Regards
Holger


--- ./usr.bin/openssl/openssl.1
+++ ./usr.bin/openssl/openssl.1
@@ -361,7 +361,11 @@ The number of days to certify the certif
.It Fl enddate Ar date
Set the expiry date.
The format of the date is YYMMDDHHMMSSZ
-.Pq the same as an ASN.1 UTCTime structure .
+.Pq the same as an ASN.1 UTCTime structure
+for dates before 2050.
+The format of the date is YYYYMMDDHHMMSSZ
+.Pq the same as an ASN.1 GeneralizedTime structure
+for 2050 and later (see RFC 5280).
.It Fl extensions Ar section
The section of the configuration file containing certificate extensions
to be added when a certificate is issued (defaults to

Reply via email to