I tried to gernerate my own root CA with a validity of 40 years as follow: openssl req -new -newkey rsa:4096 -x509 -days 10950 -extensions v3_ca -keyout myca.key -out myca.crt -config /etc/ssl/openssl.cnf
So far so good, finally let's take a look at the certificate with openssl x509 -noout -text -in myca.crt
:
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=DE, ST=Berlin, L=Berlin, O=Org, OU=Unit, CN=My Root CA/[email protected]
Validity
Not Before: Jan 31 14:07:06 2012 GMT
Not After : Dec 18 07:38:50 1905 GMT
Why is the valid to date (not after date) wrong in the certificate? And what can be done to correct this?
Some testing showed, that the overflowing occurs somewhere in January 2038..
Found the problem: (keywords "openssl time_t 32bit")
http://projects.puppetlabs.com/projects/1/wiki/SSL_in_The_Year2038
The "fix" in my opinion is to generate your CA on a system with 64-bit OpenSSL.