[Openswan Users] Certified Validity

Andreas Steffen andreas.steffen at strongsec.net
Tue Aug 23 21:40:58 CEST 2005


The notBefore date in an X.509 certificate is stored in UTC and
the comparison with the current time is done by *swan in UTC, too.
Therefore a freshly generated certificate can be deployed to any
point in the world and put to use immediately. Of course the computer
clocks must be synchronized by NTP.

In your case I suspect that the timezone information is not set
correctly on one of your boxes, so that the comparison occurs between
a UTC time value and a local time value. See

   man tzset

for details on setting your timezone.

Regards

Andreas

Paul Wouters wrote:
> On Sat, 20 Aug 2005, Mauricio Perez wrote:
> 
>> I have a freswan VPN , and everytime i create a certified it says 
>> that's not
>> going to be valid for about 8 hours,
> 
> 
> 
>> is there any way to make it valid the very moment i created it ???
> 
> 
> Are you creating it on a machine that is in a different time zone from
> where the certificate will be deployed? As in 8 hours time difference 
> perhaps?
> It's a limitation of X.509.
> 
> Ofcourse, this assumes both machines are on NTP and have the proper time.
> 
> Paul

=======================================================================
Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===


More information about the Users mailing list