[Openswan Users] Strange CA certificate validation

Denis Kondratenko d.kondratenko at wwpass.com
Mon Jan 18 07:24:04 EST 2010 

I execute:
ipsec auto --listall
000
000 List of Public Keys:
000
000 Jan 18 14:41:45 2010, 2048 RSA Key AwEAAclDa, until Jan 15 15:03:03 
2012 ok
000        ID_FQDN '@vpn.xxxx.net'
000        Issuer 'O=xxxx, CN=xxxx Intermediate CA'
000 Jan 18 14:41:45 2010, 2048 RSA Key AwEAAclDa, until Jan 15 15:03:03 
2012 ok
000        ID_DER_ASN1_DN 'C=xx, ST=xxx, L=xxx, O=xxx, OU=IT, 
CN=vpn.xxxx.net'
000        Issuer 'O=xxxx, CN=xxxx Intermediate CA'
000
000 List of X.509 End Certificates:
000
000 Jan 18 14:41:45 2010, count: 1
000        subject: 'C=xx, ST=xxx, L=xxx, O=xxx, OU=IT, CN=vpn.xxxx.net'
000        issuer:  'O=xxxx, CN=xxxx Intermediate CA'
000        serial:   43:dd:74:f3:00:00:00:00:00:3a
000        pubkey:   2048 RSA Key AwEAAclDa, has private key
000        validity: not before Jan 15 15:03:03 2010 ok
000                  not after  Jan 15 15:03:03 2012 ok
000        subjkey: 
e4:16:e8:c8:02:69:9f:10:d1:ab:f2:57:be:16:84:e9:a9:b9:74:53
000        authkey: 
f3:13:56:81:e0:bc:00:23:f5:10:b6:b6:6d:b4:0c:db:bf:24:93:1f
000
000 List of X.509 CA Certificates:
000
000 Jan 18 14:41:45 2010, count: 1
000        subject: 'O=xxxx, CN=xxxx CA'
000        issuer:  'O=xxxx, CN=xxxx Root CA'
000        serial:   61:58:09:b8:00:00:00:00:00:02
000        pubkey:   4096 RSA Key AwEAAeh7M
000        validity: not before Dec 08 13:48:12 2009 ok
000                  not after  Dec 08 13:58:12 2029 ok
000        subjkey: 
f3:13:56:81:e0:bc:00:23:f5:10:b6:b6:6d:b4:0c:db:bf:24:93:1f
000        authkey: 
ca:fc:80:4f:30:b8:50:3d:08:77:2d:92:e5:1a:e7:df:c9:0e:99:2f
000 Jan 18 14:41:45 2010, count: 1
000        subject: 'O=xxxx, CN=xxxx Root CA'
000        issuer:  'O=xxxx, CN=xxxx Root CA'
000        serial:   6c:e1:f1:db:b8:2d:a4:b0:44:51:d8:3d:69:0a:7f:d7
000        pubkey:   2048 RSA Key AwEAAbenN
000        validity: not before Dec 08 12:16:30 2009 ok
######################################################################
000                  not after  Jan 01 02:59:59 1970 fatal (expired) #
that's very strange___^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ #
######################################################################
000        subjkey: 
ca:fc:80:4f:30:b8:50:3d:08:77:2d:92:e5:1a:e7:df:c9:0e:99:2f
000
000 List of X.509 CRLs:
000
000 Jan 18 14:41:45 2010, revoked certs: 0
000        issuer:  'O=xxxx, CN=xxxx Root CA'
000        distPts: 'http://pki.xxxx.net/crl/xxxx-rootCA.crl'
000                 'file:///etc/ipsec.d/crls/xxxx-rootCA.crl'
000        updates:  this Dec 08 12:34:48 2009
000                  next Jun 07 01:54:48 2010 ok
000        authkey: 
ca:fc:80:4f:30:b8:50:3d:08:77:2d:92:e5:1a:e7:df:c9:0e:99:2f
000 Jan 18 14:41:45 2010, revoked certs: 1
000        issuer:  'O=xxxx, CN=xxxx Intermediate CA'
000        distPts: 'http://pki.xxxx.net/crl/xxxx-CA.crl'
000                 'file:///etc/ipsec.d/crls/xxxx-CA.crl'
000        updates:  this Jan 14 12:37:23 2010
000                  next Jan 22 00:57:23 2010 warning (expires in 3 days)
000        authkey: 
f3:13:56:81:e0:bc:00:23:f5:10:b6:b6:6d:b4:0c:db:bf:24:93:1f

And openswan assumes my root CA is expired!

But when I run:
openssl x509 -in ipsec.d/cacerts/xxxx-rootCA.crt -startdate -enddate -noout
it looks like a valid:
notBefore=Dec  8 09:16:30 2009 GMT
notAfter=Dec  8 09:26:29 2049 GMT

My box is:

vpn:/# uname -a
Linux vpn.xxxx.net 2.6.26-2-686 #1 SMP Wed Nov 4 20:45:37 UTC 2009 i686 
GNU/Linux

vpn:/# ipsec --version
Linux Openswan U2.4.12/K2.6.26-2-686 (netkey)
See `ipsec --copyright' for copyright information.

ssh:/# xl2tpd --version
xl2tpd version:  xl2tpd-1.2.0

What the problem may be?
Thanx a lot.

More information about the Users mailing list