On Tue, Feb 27, 2018 at 08:54:48PM +0100, Holger Mikolon wrote:
> When playing with "openssl ca" with various validity end dates I could
> not manage end dates of 2050 or later - until I started reading code and
> the RFC 5280. As far as I understand it now (and is confirmed by various
> tests), the openssl parameter "-enddate" expects one of two date/time
> formats - depending on whether the date is before 2050 or not. This is far
> from obvious, hence I'd like to propose below change to the man page.
> 
> Regards
> Holger
> 
> 
> --- ./usr.bin/openssl/openssl.1
> +++ ./usr.bin/openssl/openssl.1
> @@ -361,7 +361,11 @@ The number of days to certify the certif
> .It Fl enddate Ar date
> Set the expiry date.
> The format of the date is YYMMDDHHMMSSZ
> -.Pq the same as an ASN.1 UTCTime structure .
> +.Pq the same as an ASN.1 UTCTime structure
> +for dates before 2050.
> +The format of the date is YYYYMMDDHHMMSSZ
> +.Pq the same as an ASN.1 GeneralizedTime structure
> +for 2050 and later (see RFC 5280).
> .It Fl extensions Ar section
> The section of the configuration file containing certificate extensions
> to be added when a certificate is issued (defaults to
> 

hi.

i wonder whether we could more simply just use the date format [YY]YY,
explain the 2050 cutoff, and forget about mentioning asn.1 time
structures.

or do you think there is a practical reason why the user would need to
know it? i suspect not.

there is also "startdate" for openssl ca. we should probably do the same
for that, assuming it applies.

so sth like the diff below.
jmc

Index: openssl.1
===================================================================
RCS file: /cvs/src/usr.bin/openssl/openssl.1,v
retrieving revision 1.87
diff -u -r1.87 openssl.1
--- openssl.1   18 Feb 2018 07:43:55 -0000      1.87
+++ openssl.1   27 Feb 2018 21:38:06 -0000
@@ -360,8 +360,8 @@
 The number of days to certify the certificate for.
 .It Fl enddate Ar date
 Set the expiry date.
-The format of the date is YYMMDDHHMMSSZ
-.Pq the same as an ASN.1 UTCTime structure .
+The format of the date is [YY]YYMMDDHHMMSSZ,
+with all four year digits required for dates after 2050.
 .It Fl extensions Ar section
 The section of the configuration file containing certificate extensions
 to be added when a certificate is issued (defaults to
@@ -492,8 +492,8 @@
 A single self-signed certificate to be signed by the CA.
 .It Fl startdate Ar date
 Set the start date.
-The format of the date is YYMMDDHHMMSSZ
-.Pq the same as an ASN.1 UTCTime structure .
+The format of the date is [YY]YYMMDDHHMMSSZ,
+with all four year digits required for dates after 2050.
 .It Fl status Ar serial
 Show the status of the certificate with serial number
 .Ar serial .

Reply via email to