Hi Richard,
On 04/03/19 10:27, Richard Levitte wrote:
On Mon, 04 Mar 2019 10:06:54 +0100,
Jan Just Keijser wrote:
...
Having said that, I just created a certificate set to expire on Mar 9 2037 and it passed the
following command:
c:\program files\openvpn\bin\openssl x509 -dates -subject -noout -in mycert.crt
can you run the same command on the failing certificate?
That's a poor test. 'openssl x509' doesn't verify the certificate,
and the error comes up during verification. To verify, use 'openssl
verify'. Here's an example with OpenSSL test files:
openssl verify -trusted test/certs/root-cert.pem test/certs/ca-cert.pem
So in Wolfgang's case, I suspect something like this would say more:
openssl verify -trusted .....ca.crt .....user.crt
you were one step ahead of me :)
I fully agree that it is a poor test, I was just wondering if there was
an encoding error in the cert itself, esp as the EndDate approaches the
32bit epoch...
Wolfgang, can you send me both the client cert and the CA cert that goes
with it? both are public info.
cheers,
JJK / Jan Just Keijser
