Hello everyone,

I'm not very experienced with certificates and I've got a couple of questions, if someone can help me please?

I'm using self signed certificates; SSTP server is running on CCR1036 v6.48.1. Our VPN network is quite large with a lot of clients connecting to the server as SSTP clients. Default valid days number is 365, and updating certificates for all clients including server is quite painful.

So, I guess, the first question would be if it is possible to to make certificates permanent, valid days = unlimited?

If it can't be done, can I make valid days = 36500, or more?

It is working while adding a template:
/certificate
add name=ca-template common-name=CA days-valid=36500 key-usage=key-cert-sign,crl-sign

In the Certificate list Valid Days will be 36500, which is great.

However, when signing the certificates:
/certificate
sign ca-template name=CA

Valid Days number falls back to 6113 figure. I understand that 16 years is better than 1 :) But it still would be better to have 100 years (or more) and forget about certificate updates for good.

Any help is appreciated greatly.
Thank you in advance.

Seconds are counted from jan/01/1970 and stored in a signed integer (32 bit value). On jan/19/2038 this will overflow, thus anything before is the maximum date allowed by RouterOS.

https://en.wikipedia.org/wiki/Unix_time

Seconds are counted from jan/01/1970 and stored in a signed integer (32 bit value). On jan/19/2038 this will overflow, thus anything before is the maximum date allowed by RouterOS.

https://en.wikipedia.org/wiki/Unix_time

Thank you very much. Does that mean that on Jan/19/2038 all certificates for all sites we have will expire and I can't do anything about it even 1 day prior? I mean, do I have to re-issue certificates only after Jan/19/2038?

I guess we will see a RouterOS update before that date that addresses the issue. 😜

I guess we will see a RouterOS update before that date that addresses the issue. 😜

Let's hope a work around will be created :)

Thank you very much for your help.

There's a myriad of issues, revolving around 32-bit timers with offset to UNIX epoch. Linux kernel has support for 64-bit counters since ages ago (also 32-bit kernel), but there are other (mostly 32-bit) applications (and glibc and ...) which not necessarily use it yet. And those include ssl libraries, certificate themselves can be set with dates up to year 9999.

My bet is that with ROS v7 (based on recent linux kernel and hopefully other binaries as well) we'll be year 2038 ready.

Necroposting on this thread just to say that ROS 7.6 still limits certificate validity to 2038, it seems.

https://xkcd.com/2697