------=_Part_70005_13914844.1184726870642
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

No wonder I couldn't find the MakeCertificate function, it's actually
resides in an external library. I 'll try to do anything I could to make
sure it works as needed..

However, thank you very much for your help David Schwartz.. if you were in
java.sun.com forum I'd surely have given you at least 7 duke dollars.

Thanks again

On 7/17/07, David Schwartz wrote:
>
>
>
>
>
> thanks a lot for your lenghty explanation, David Schwartz. I really
> appreciate it for you to help me explain all this. I noted you said that what
> I did might be sensible if three things are the case: 1) The locale you
> are using the certificate has no daylight savings time.
> 2) The certificate isn't going anywhere, it's only going to be used in one
> place.
> 3) The certificate expires in the near future, so a risk of a change in
> daylight savings time rules is low.
>
> For the no (1), i'm not really sure about this daylight savings time.. I
> reside in Malaysia (next to singapore and thailand) and I'm not sure whether
> my country has any daylight savings time or not. For no(2), currently the
> issued certificates is only used in our office.
>
> I don't know the daylight savings time rules in your area, but if you have
> daylight savings time, then some of your certificates will expire an hour
> off from when you intended. I'm pretty sure you do have a daylight savings
> time and certificates issued that expire during daylight savings time will
> not actually expire at midnight but will be one hour off.
>
> if ((x = MakeCertificate(req,sconf,nconf,NULL,ca,ca_pkey,
> pinfo.begin_validity,
> pinfo.validity,pinfo.serial,pinfo.algo,0)) ==
> NULL)
> { ret = ERROR_MAKECERT;
> goto end3;
> }
>
> X509_gmtime_adj(X509_get_notBefore(x),0); //added on 16/7/2007
> X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*2 4*pinfo.validity);
> //added on 16/7/2007
> X509_gmtime_roundup(X509_get_notAfter(x)); //added on 16/7/2007
>
> This is wrong, you cannot modify the certificate after it is signed. You
> have to modify the 'MakeCertificate' function.
>
> As you may see above, I added the X509_gmtime_adj and X509_gmtime_roundup
> after the call to makeCertificate. The generated certificate will have the
> desired expiry date, but the cert itself would be corrupted. It will have
> this message displayed in the cert - "The integrity of this certificate
> cannot be guaranteed. THe certificate may be corrupted or may have been
> altered." I guess this happens because I added the line X509_gmtime_ after
> the cert has been created, right? But I don't know anyway else where I
> should put it.
>
> Inside the 'MakeCertificate' function.
>
> And for the MakeCertificate function which was called above, all I could
> find was this code:
>
> X509 *MakeCertificate(X509_REQ *preq,char **sconf,int nconf,EVP_PKEY
> *self_key,
> char* cacert_file,EVP_PKEY *ca_key,int
> pbegin,int pdays,
> long pserial,int palgo,int ca_type)
>
> which was located in Global.h file. It doesn't seem any where I can put
> the X509_gmtime_roundup line....
>
> Where is the code to the 'MakeCertificate' function? That where you'll
> have to do it.
>
> DS
>
>
>


------=_Part_70005_13914844.1184726870642
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

No wonder I couldn't find the MakeCertificate function, it's actually resides in an external library. I 'll try to do anything I could to make sure it works as needed..

However, thank you very much for your help David Schwartz.. if you were in
java.sun.com forum I'd surely have given you at least 7 duke dollars.

Thanks again

On 7/17/07, David Schwartz
<davids@webmaster.com> wrote:







 

thanks
a lot for your lenghty explanation, David Schwartz. I really appreciate it for
you to help me explain all this. I noted you said that what I did might be sensible
if three things are the case:

1) The locale you
are using the certificate has no daylight savings time.

2) The
certificate isn't going anywhere, it's only going to be used in one
place.

3) The
certificate expires in the near future, so a risk of a change in daylight
savings time rules is low.

For the no (1), i'm not really sure about
this daylight savings time.. I reside in Malaysia (next to singapore and
thailand) and I'm not sure whether my country has any daylight savings time or
not. For no(2), currently the issued certificates is only used in our
office. 
 

I don't know the daylight savings time
rules in your area, but if you have daylight savings time, then some of your
certificates will expire an hour off from when you intended. I'm pretty sure
you do have a daylight savings time and certificates issued that expire
during daylight savings time will not actually expire at midnight but will be
one hour off.

 

    if ((x =
MakeCertificate(req,sconf,nconf,NULL,ca,ca_pkey,
pinfo.begin_validity,
       
               
     pinfo.validity,pinfo.serial,pinfo.algo,0)) ==
NULL)
    {  ret =
ERROR_MAKECERT;
       goto
end3;
    }

   
X509_gmtime_adj(X509_get_notBefore(x),0); //added on 16/7/2007

   
X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*2 4*pinfo.validity); //added
on 16/7/2007
    X509_gmtime_roundup(X509_get_notAfter(x));
//added on 16/7/2007
 

This
is wrong, you cannot modify the certificate after it is signed. You have to
modify the 'MakeCertificate' function.

                                                               
As
you may see above, I added the X509_gmtime_adj and X509_gmtime_roundup after
the call to makeCertificate. The generated certificate will have the desired
expiry date, but the cert itself would be corrupted. It will have this message
displayed in the cert - "The integrity of this certificate cannot be
guaranteed. THe certificate may be corrupted or may have been altered." I
guess this happens because I added the line X509_gmtime_ after the cert has
been created, right? But I don't know anyway else where I should put
it. 
 

Inside the 'MakeCertificate' function. 

And
for the MakeCertificate function which was called above, all I could find was
this code:

 X509 *MakeCertificate(X509_REQ *preq,char **sconf,int
nconf,EVP_PKEY
*self_key,
                         
char* cacert_file,EVP_PKEY *ca_key,int pbegin,int pdays,

                         
long pserial,int palgo,int ca_type)

which was located in Global.h file.
It doesn't seem any where I can put the X509_gmtime_roundup line....
 

Where is the code to the 'MakeCertificate' function? That where you'll
have to do it.

 

DS

 




------=_Part_70005_13914844.1184726870642--
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org