On Tue, Feb 27, 2018 at 08:54:48PM +0100, Holger Mikolon wrote: > When playing with "openssl ca" with various validity end dates I could > not manage end dates of 2050 or later - until I started reading code and > the RFC 5280. As far as I understand it now (and is confirmed by various > tests), the openssl parameter "-enddate" expects one of two date/time > formats - depending on whether the date is before 2050 or not. This is far > from obvious, hence I'd like to propose below change to the man page. > > Regards > Holger > > > --- ./usr.bin/openssl/openssl.1 > +++ ./usr.bin/openssl/openssl.1 > @@ -361,7 +361,11 @@ The number of days to certify the certif > .It Fl enddate Ar date > Set the expiry date. > The format of the date is YYMMDDHHMMSSZ > -.Pq the same as an ASN.1 UTCTime structure . > +.Pq the same as an ASN.1 UTCTime structure > +for dates before 2050. > +The format of the date is YYYYMMDDHHMMSSZ > +.Pq the same as an ASN.1 GeneralizedTime structure > +for 2050 and later (see RFC 5280). > .It Fl extensions Ar section > The section of the configuration file containing certificate extensions > to be added when a certificate is issued (defaults to >
hi. i wonder whether we could more simply just use the date format [YY]YY, explain the 2050 cutoff, and forget about mentioning asn.1 time structures. or do you think there is a practical reason why the user would need to know it? i suspect not. there is also "startdate" for openssl ca. we should probably do the same for that, assuming it applies. so sth like the diff below. jmc Index: openssl.1 =================================================================== RCS file: /cvs/src/usr.bin/openssl/openssl.1,v retrieving revision 1.87 diff -u -r1.87 openssl.1 --- openssl.1 18 Feb 2018 07:43:55 -0000 1.87 +++ openssl.1 27 Feb 2018 21:38:06 -0000 @@ -360,8 +360,8 @@ The number of days to certify the certificate for. .It Fl enddate Ar date Set the expiry date. -The format of the date is YYMMDDHHMMSSZ -.Pq the same as an ASN.1 UTCTime structure . +The format of the date is [YY]YYMMDDHHMMSSZ, +with all four year digits required for dates after 2050. .It Fl extensions Ar section The section of the configuration file containing certificate extensions to be added when a certificate is issued (defaults to @@ -492,8 +492,8 @@ A single self-signed certificate to be signed by the CA. .It Fl startdate Ar date Set the start date. -The format of the date is YYMMDDHHMMSSZ -.Pq the same as an ASN.1 UTCTime structure . +The format of the date is [YY]YYMMDDHHMMSSZ, +with all four year digits required for dates after 2050. .It Fl status Ar serial Show the status of the certificate with serial number .Ar serial .
