This is a multi-part message in MIME format.

------=_NextPart_000_0006_01C7C7E0.F4D2DCD0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit




thanks a lot for your lenghty explanation, David Schwartz. I really
appreciate it for you to help me explain all this. I noted you said that
what I did might be sensible if three things are the case:
1) The locale you are using the certificate has no daylight savings time.
2) The certificate isn't going anywhere, it's only going to be used in one
place.
3) The certificate expires in the near future, so a risk of a change in
daylight savings time rules is low.

For the no (1), i'm not really sure about this daylight savings time.. I
reside in Malaysia (next to singapore and thailand) and I'm not sure whether
my country has any daylight savings time or not. For no(2), currently the
issued certificates is only used in our office.

I don't know the daylight savings time rules in your area, but if you have
daylight savings time, then some of your certificates will expire an hour
off from when you intended. I'm pretty sure you do have a daylight savings
time and certificates issued that expire during daylight savings time will
not actually expire at midnight but will be one hour off.

if ((x = MakeCertificate(req,sconf,nconf,NULL,ca,ca_pkey,
pinfo.begin_validity,
pinfo.validity,pinfo.serial,pinfo.algo,0)) ==
NULL)
{ ret = ERROR_MAKECERT;
goto end3;
}

X509_gmtime_adj(X509_get_notBefore(x),0); //added on 16/7/2007
X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*2 4*pinfo.validity);
//added on 16/7/2007
X509_gmtime_roundup(X509_get_notAfter(x)); //added on 16/7/2007

This is wrong, you cannot modify the certificate after it is signed. You
have to modify the 'MakeCertificate' function.

As you may see above, I added the X509_gmtime_adj and X509_gmtime_roundup
after the call to makeCertificate. The generated certificate will have the
desired expiry date, but the cert itself would be corrupted. It will have
this message displayed in the cert - "The integrity of this certificate
cannot be guaranteed. THe certificate may be corrupted or may have been
altered." I guess this happens because I added the line X509_gmtime_ after
the cert has been created, right? But I don't know anyway else where I
should put it.

Inside the 'MakeCertificate' function.

And for the MakeCertificate function which was called above, all I could
find was this code:

X509 *MakeCertificate(X509_REQ *preq,char **sconf,int nconf,EVP_PKEY
*self_key,
char* cacert_file,EVP_PKEY *ca_key,int
pbegin,int pdays,
long pserial,int palgo,int ca_type)

which was located in Global.h file. It doesn't seem any where I can put
the X509_gmtime_roundup line....

Where is the code to the 'MakeCertificate' function? That where you'll
have to do it.

DS

------=_NextPart_000_0006_01C7C7E0.F4D2DCD0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable



charset=3Diso-8859-1">




 

style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px =
solid">thanks=20
a lot for your lenghty explanation, David Schwartz. I really =
appreciate it for=20
you to help me explain all this. I noted you said that style=3D"COLOR: rgb(0,0,0)">what I did =
might be sensible=20
if three things are the case:
=20
1) =
The locale you=20
are using the certificate has no daylight savings =
time.

2) =
The=20
certificate isn't going anywhere, it's only going to be used in one=20
place.

3) =
The=20
certificate expires in the near future, so a risk of a change in =
daylight=20
savings time rules is low.

For the no (1), i'm not really sure =
about=20
this daylight savings time.. I reside in Malaysia (next to singapore =
and=20
thailand) and I'm not sure whether my country has any daylight savings =
time or=20
not. For no(2), currently the issued certificates is only used in our=20
office. 
color=3D#0000ff> 

color=3D#0000ff=20
size=3D2>I don't know the daylight =
savings time=20
rules in your area, but if you have daylight savings time, then some =
of your=20
certificates will expire an hour off from when you intended. I'm =
pretty sure=20
you do have a daylight savings time and certificates issued that =
expire=20
during daylight savings time will not actually expire at midnight but =
will be=20
one hour off.

size=3D2> class=3D416143202-17072007> 

size=3D2>    if ((x =3D=20
MakeCertificate(req,sconf,nconf,NULL,ca,ca_pkey,=2 0
pinfo.begin_validity,
       =20
            =
   =20
     pinfo.validity,pinfo.serial,pinfo.algo,0)) =
=3D=3D=20
NULL)
    {  ret =3D=20
ERROR_MAKECERT;
       goto=20
end3;
    }

   =20
X509_gmtime_adj(X509_get_notBefore(x),0); //added on 16/7/2007=20

   =20
X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*2 4*pinfo.validity); =
//added=20
on 16/7/2007
    =
X509_gmtime_roundup(X509_get_notAfter(x));=20
//added on 16/7/2007
face=3DArial=20
color=3D#0000ff size=3D2> 

color=3D#0000ff size=3D2>This=20
is wrong, you cannot modify the certificate after it is signed. You =
have to=20
modify the 'MakeCertificate' function.

=
class=3D416143202-17072007>      &nb=
sp;           &nbs=
p;           &nbsp=
;            =
            &=
nbsp;      
As=20
you may see above, I added the X509_gmtime_adj and X509_gmtime_roundup =
after=20
the call to makeCertificate. The generated certificate will have the =
desired=20
expiry date, but the cert itself would be corrupted. It will have this =
message=20
displayed in the cert - "The integrity of this certificate cannot be=20
guaranteed. THe certificate may be corrupted or may have been =
altered." I=20
guess this happens because I added the line X509_gmtime_ after the =
cert has=20
been created, right? But I don't know anyway else where I should put=20
it. 
color=3D#0000ff=20
size=3D2> 

color=3D#0000ff=20
size=3D2>Inside the 'MakeCertificate' =
function.
 


And=20
for the MakeCertificate function which was called above, all I could =
find was=20
this code:

 X509 *MakeCertificate(X509_REQ *preq,char =
**sconf,int=20
nconf,EVP_PKEY=20
=
*self_key,
         &nbsp=
;            =
   =20
char* cacert_file,EVP_PKEY *ca_key,int pbegin,int pdays,=20
=

           &nb=
sp;           &nbs=
p; =20
long pserial,int palgo,int ca_type)

which was located in =
Global.h file.=20
It doesn't seem any where I can put the X509_gmtime_roundup =
line....
class=3D416143202-17072007> size=3D2> 

color=3D#0000ff=20
size=3D2>Where is the code to the 'MakeCertificate' function? That =
where you'll=20
have to do it.

color=3D#0000ff=20
size=3D2>
 

color=3D#0000ff=20
size=3D2>DS

color=3D#0000ff=20
size=3D2>