TLS-Client-Cert-Expiration date format

John Dennis jdennis at redhat.com
Thu Jul 25 15:08:21 CEST 2013


On 07/25/2013 04:50 AM, George Ross wrote:
>> Just wondering if anyone knew what the expiration date format was back
>> from eap-tls transactions? I have a cert here that expires 23/07/2015
>> and FR gives back  "150723132302Z".
>> That's a Z on the end..?
> 
> <http://en.wikipedia.org/wiki/ISO_8601>.

Sorry, but "150723132302Z" is not 8601.

https://en.wikipedia.org/wiki/ISO_8601

"150723132302Z" is universaTime a subset of ASN.1 GeneralizedTime

http://www.obj-sys.com/asn1tutorial/node14.html

http://luca.ntop.org/Teaching/Appunti/asn1.html (see section 5.17)

universalTime is being used because certs are encoded in ASN.1,
specifically they require the use of GeneralizedTime.

The GeneralizedTime form was standardized before RFC 8601.

The use of GeneralizedTime is an artifact of the certificate binary
encoding format. I'm not sure that's the best presentation these days.
I'd rather see GeneralizedTime values presented in 8601 format to be
consistent with modern standards. To properly parse the universalTime
format being used one has to understand the nuances of X509 certificate
encoding which is expecting too much.

I wonder if the OpenSSL library has an option or function to convert to
8601.


-- 
John


More information about the Freeradius-Users mailing list