When playing with "openssl ca" with various validity end dates I could not manage end dates of 2050 or later - until I started reading code and the RFC 5280. As far as I understand it now (and is confirmed by various tests), the openssl parameter "-enddate" expects one of two date/time formats - depending on whether the date is before 2050 or not. This is far from obvious, hence I'd like to propose below change to the man page.
Regards Holger --- ./usr.bin/openssl/openssl.1 +++ ./usr.bin/openssl/openssl.1 @@ -361,7 +361,11 @@ The number of days to certify the certif .It Fl enddate Ar date Set the expiry date. The format of the date is YYMMDDHHMMSSZ -.Pq the same as an ASN.1 UTCTime structure . +.Pq the same as an ASN.1 UTCTime structure +for dates before 2050. +The format of the date is YYYYMMDDHHMMSSZ +.Pq the same as an ASN.1 GeneralizedTime structure +for 2050 and later (see RFC 5280). .It Fl extensions Ar section The section of the configuration file containing certificate extensions to be added when a certificate is issued (defaults to
