'Expired certificates'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-modssl
Subject:    Expired certificates
From:       John.Airey () rnib ! org ! uk
Date:       2001-07-25 15:52:17
[Download RAW message or body]

I've just made an interesting discovery after suffering the ignomy of having
an SSL certificate expire. (Supposedly I'll have it within the next two
hours. A late night for me!)

It appears from my testing that the expiry time on a certificate is taken
from the client's machine time, not the server time. I've tested this with
IE 5.01 SP1 and Netscape 4.77.

Therefore the moral is to ensure that you renew all certificates before the
time on the certificate is reached anywhere in the world, to prevent browser
warnings. In practical terms this would mean renewing before the last 24
hours of the certificate is reached. As far as I am aware this is not
documented anywhere. (No doubt some clever person will point me to the RFC
where this is).

I believe I'll have some accurate information about self-signed starred
certificates with IIS fairly soon also.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@rnib.org.uk 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@modssl.org
Automated List Manager                            majordomo@modssl.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic