Community discussions

MikroTik App
 
ghostt
just joined
Topic Author
Posts: 21
Joined: Tue Apr 24, 2018 4:07 pm
Location: Australia

Certificate valid days question

Wed Apr 07, 2021 7:47 am

Hello everyone,

I'm not very experienced with certificates and I've got a couple of questions, if someone can help me please?

I'm using self signed certificates; SSTP server is running on CCR1036 v6.48.1. Our VPN network is quite large with a lot of clients connecting to the server as SSTP clients. Default valid days number is 365, and updating certificates for all clients including server is quite painful.

So, I guess, the first question would be if it is possible to to make certificates permanent, valid days = unlimited?

If it can't be done, can I make valid days = 36500, or more?

It is working while adding a template:
/certificate
add name=ca-template common-name=CA days-valid=36500 key-usage=key-cert-sign,crl-sign

In the Certificate list Valid Days will be 36500, which is great.

However, when signing the certificates:
/certificate
sign ca-template name=CA

Valid Days number falls back to 6113 figure. I understand that 16 years is better than 1 :) But it still would be better to have 100 years (or more) and forget about certificate updates for good.

Any help is appreciated greatly.
Thank you in advance.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1092
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Certificate valid days question

Wed Apr 07, 2021 8:39 am

Seconds are counted from jan/01/1970 and stored in a signed integer (32 bit value). On jan/19/2038 this will overflow, thus anything before is the maximum date allowed by RouterOS.

https://en.wikipedia.org/wiki/Unix_time
 
ghostt
just joined
Topic Author
Posts: 21
Joined: Tue Apr 24, 2018 4:07 pm
Location: Australia

Re: Certificate valid days question

Wed Apr 07, 2021 9:45 am

Seconds are counted from jan/01/1970 and stored in a signed integer (32 bit value). On jan/19/2038 this will overflow, thus anything before is the maximum date allowed by RouterOS.

https://en.wikipedia.org/wiki/Unix_time
Thank you very much. Does that mean that on Jan/19/2038 all certificates for all sites we have will expire and I can't do anything about it even 1 day prior? I mean, do I have to re-issue certificates only after Jan/19/2038?
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1092
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Certificate valid days question

Wed Apr 07, 2021 9:50 am

I guess we will see a RouterOS update before that date that addresses the issue. 😜
 
ghostt
just joined
Topic Author
Posts: 21
Joined: Tue Apr 24, 2018 4:07 pm
Location: Australia

Re: Certificate valid days question

Wed Apr 07, 2021 10:11 am

I guess we will see a RouterOS update before that date that addresses the issue. 😜
Let's hope a work around will be created :)

Thank you very much for your help.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12985
Joined: Thu Mar 03, 2016 10:23 pm

Re: Certificate valid days question

Wed Apr 07, 2021 4:06 pm

There's a myriad of issues, revolving around 32-bit timers with offset to UNIX epoch. Linux kernel has support for 64-bit counters since ages ago (also 32-bit kernel), but there are other (mostly 32-bit) applications (and glibc and ...) which not necessarily use it yet. And those include ssl libraries, certificate themselves can be set with dates up to year 9999.

My bet is that with ROS v7 (based on recent linux kernel and hopefully other binaries as well) we'll be year 2038 ready.
 
Kurgan
just joined
Posts: 8
Joined: Mon Dec 17, 2012 1:20 am

Re: Certificate valid days question

Sun Nov 13, 2022 4:15 pm

Necroposting on this thread just to say that ROS 7.6 still limits certificate validity to 2038, it seems.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1092
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Certificate valid days question

Sun Nov 13, 2022 4:55 pm

Who is online

Users browsing this forum: sindy, Techsystem and 25 guests