TLS-Client-Cert-Expiration date format

John Dennis jdennis at
Thu Jul 25 15:08:21 CEST 2013

On 07/25/2013 04:50 AM, George Ross wrote:
>> Just wondering if anyone knew what the expiration date format was back
>> from eap-tls transactions? I have a cert here that expires 23/07/2015
>> and FR gives back  "150723132302Z".
>> That's a Z on the end..?
> <>.

Sorry, but "150723132302Z" is not 8601.

"150723132302Z" is universaTime a subset of ASN.1 GeneralizedTime (see section 5.17)

universalTime is being used because certs are encoded in ASN.1,
specifically they require the use of GeneralizedTime.

The GeneralizedTime form was standardized before RFC 8601.

The use of GeneralizedTime is an artifact of the certificate binary
encoding format. I'm not sure that's the best presentation these days.
I'd rather see GeneralizedTime values presented in 8601 format to be
consistent with modern standards. To properly parse the universalTime
format being used one has to understand the nuances of X509 certificate
encoding which is expecting too much.

I wonder if the OpenSSL library has an option or function to convert to


More information about the Freeradius-Users mailing list