openssl req sets wrong "not after" date (overflow bug?)

I tried to gernerate my own root CA with a validity of 40 years as follow: openssl req -new -newkey rsa:4096 -x509 -days 10950 -extensions v3_ca -keyout myca.key -out myca.crt -config /etc/ssl/openssl.cnf

So far so good, finally let's take a look at the certificate with openssl x509 -noout -text -in myca.crt:

   Signature Algorithm: sha1WithRSAEncryption
    Issuer: C=DE, ST=Berlin, L=Berlin, O=Org, OU=Unit, CN=My Root CA/[email protected]
    Validity
        Not Before: Jan 31 14:07:06 2012 GMT
        Not After : Dec 18 07:38:50 1905 GMT

Why is the valid to date (not after date) wrong in the certificate? And what can be done to correct this?


Some testing showed, that the overflowing occurs somewhere in January 2038..


Solution 1:

Found the problem: (keywords "openssl time_t 32bit")

http://projects.puppetlabs.com/projects/1/wiki/SSL_in_The_Year2038

The "fix" in my opinion is to generate your CA on a system with 64-bit OpenSSL.