SSL Certificate Expiry: Does the expiry time make any difference at all?

8,987

Solution 1

They have a time as well as a date. Taking one of my own certificates, obtained with openssl s_client, and putting it into openssl x509 -text -noout, I find (amongst other things) that:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 513100 (0x7d44c)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=GeoTrust, Inc., CN=RapidSSL CA
        Validity
            Not Before: Aug 16 06:07:05 2012 GMT
            Not After : Oct 16 09:42:56 2016 GMT

As you can see, the certificate is very precise about when it expires. Yours should be, too.

Solution 2

The expiration time is down to the second. It really shouldn't matter though since the certificate should be renewed / migrated / etc weeks in advance in any professional organization.

8,987

Author by

CYMR0

Updated on September 18, 2022

Comments

CYMR0 over 1 year

I need to know when an SSL certificate actually expires. Does it just look at the expiry date, or does it also take into account the expiry time?

Let's say a certificate expired on 1/1/2013 at 11am. Does that certificate expire at 11:01am or is it only the following day that the certificate expires? I have been told both are true.

Hope that makes sense! Our suppliers messed up and let our certificate expire, and I'm trying to figure out how much compensation we're owed.

I found this question Details on exact expiration datetime of an SSL certificate? but it didn't quite answer what I need (and I didn't like to revive a dead question).
CYMR0 over 11 years

Thanks! So am I right in saying that with your example at Oct 16 10:00:00 2016 GMT the browsers would then kick up a fuss saying the certificate is no longer valid? Just wanna be crystal clear!
CYMR0 over 11 years

Thanks! Yeah, I know. I even reminded said profesional organisation about it a month ago. They're saying that the expiry time doesn't matter though, and that it is only the following day, that the certificate expires and browsers complain.
John Gardeniers over 11 years

@CYMR0, whether or not browsers complain based on the time may well be browser dependant.
MadHatter over 11 years

That's client-dependent (ie, it's up to the browser), but it's certainly what you'd expect a well-behaved browser to do. If your suppliers claim certificates expire on a day, they're wrong; they expire on a second, as I've shown. But if they claim that some browsers don't care until the following day, they should be asked which browsers, and for some proof.