|
|
Hi On Thu, Mar 01, 2007 at 03:12:15PM +0000, Erich Titl wrote: > Hi > > Konrad Karl wrote: > > Hi all, > > > > Every now and then I have to work around some machines with > > incorrect clock settings - for now I set the time back for > > a couple of years on the easy-rsa machine (using libfaketime-0.4.tar.gz > > on linux) but would like to avoid that kludge. > > The kludge is the incorrect clock setting. I admit but I have been hurt by a failing CMOS clock which required travelling (been locked out), and in addition, embedded systems might have no accurate wall clock so I will have to fake the date and time anyways. > > > > > Is there an option to specify the certificate start date/time > > to openssl? > > Yes > > OpenSSL> ca -? > unknown option -? > usage: ca args > > -verbose - Talk alot while doing things > -config file - A config file > -name arg - The particular CA definition to use > -gencrl - Generate a new CRL > -crldays days - Days is when the next CRL is due > -crlhours hours - Hours is when the next CRL is due > -startdate YYMMDDHHMMSSZ - certificate validity notBefore > -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days) Thanks very much, I was not aware about these ????date options. It seems the next task is to figure out what is the equivalent of "infinity" specifying start and end dates. :-) Given that I have full control over the CA, is there any security gain if the certs have date/time based validity? Greetings, Konrad ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users |