openssl req sets wrong "not after" date (overflow bug?)

ssl-certificate openssl certificate-authority

I tried to gernerate my own root CA with a validity of 40 years as follow: openssl req -new -newkey rsa:4096 -x509 -days 10950 -extensions v3_ca -keyout myca.key -out myca.crt -config /etc/ssl/openssl.cnf

So far so good, finally let's take a look at the certificate with openssl x509 -noout -text -in myca.crt:

   Signature Algorithm: sha1WithRSAEncryption
    Issuer: C=DE, ST=Berlin, L=Berlin, O=Org, OU=Unit, CN=My Root CA/[email protected]
    Validity
        Not Before: Jan 31 14:07:06 2012 GMT
        Not After : Dec 18 07:38:50 1905 GMT

Why is the valid to date (not after date) wrong in the certificate? And what can be done to correct this?

Some testing showed, that the overflowing occurs somewhere in January 2038..


Solution 1:

Found the problem: (keywords "openssl time_t 32bit")

http://projects.puppetlabs.com/projects/1/wiki/SSL_in_The_Year2038

The "fix" in my opinion is to generate your CA on a system with 64-bit OpenSSL.

Related

389 Directory Server Administrative Limit Exceeded error?
Internet explorer - SID S-1-5-5-0-348885
Nagios custom variables for object inheritance
Sizing requirements for 100 simultaneous VPN connections
I created an RSA key but SSH keeps asking the password
Is my ASA 5505 almost dead?
Manually apply puppet class
Chef Server Migration
My Windows CA (certificate authority) main cert is expiring next week, what do I do?
VSFTP Config to send users to specific folders
why are there many httpd process on the machine while i only started one apache httpd service?
Is there a Windows equivalent of the HAProxy for virtual load balancing?