[Openswan Users] Host Certifcate

Brian Candler B.Candler at pobox.com
Thu May 11 12:06:28 CEST 2006


On Thu, May 11, 2006 at 10:11:38AM +0100, Oliver Tomkins wrote:
> I don't think the certificate had actually expired.  I noticed the date 
> on the hosts certificate was exactly 1 year old yesterday and made 2 + 2 
> = 5.

Each certificate has two dates: valid not before (i.e. start), valid not
after (i.e. expiry). Are you saying that your certificate expired one year
ago, or that it was issued one year ago?

You can use

  openssl x509 -in /path/to/cert.pem -text -noout

to see the dates in the certificate.

> max number of retransmissions (2) reached STATE_MAIN_I3.  Possible 
> authentication failure: no acceptable response to our first encrypted 
> message

I believe that if the current time is outside of the certificate's validity
window, then the host won't present it to the peer at all.

I found this problem with Windows clients: if I issued and installed a
certificate immediately, but the CA machine had the wrong timezone set
(GMT-8 instead of GMT, a problem with RoCA unless you remember to set the
timezone at bootup) then the certificate's start of validity was actually 8
hours in the future. The Windows machine acted as if it had no certificate
at all, until those 8 hours had passed.

Regards,

Brian.


More information about the Users mailing list