SSL Certificate Expiry: Does the expiry time make any difference at all?
Solution 1
They have a time as well as a date. Taking one of my own certificates, obtained with openssl s_client
, and putting it into openssl x509 -text -noout
, I find (amongst other things) that:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 513100 (0x7d44c)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=GeoTrust, Inc., CN=RapidSSL CA
Validity
Not Before: Aug 16 06:07:05 2012 GMT
Not After : Oct 16 09:42:56 2016 GMT
As you can see, the certificate is very precise about when it expires. Yours should be, too.
Solution 2
The expiration time is down to the second. It really shouldn't matter though since the certificate should be renewed / migrated / etc weeks in advance in any professional organization.
CYMR0
Updated on September 18, 2022Comments
-
CYMR0 over 1 year
I need to know when an SSL certificate actually expires. Does it just look at the expiry date, or does it also take into account the expiry time?
Let's say a certificate expired on 1/1/2013 at 11am. Does that certificate expire at 11:01am or is it only the following day that the certificate expires? I have been told both are true.
Hope that makes sense! Our suppliers messed up and let our certificate expire, and I'm trying to figure out how much compensation we're owed.
I found this question Details on exact expiration datetime of an SSL certificate? but it didn't quite answer what I need (and I didn't like to revive a dead question).
-
CYMR0 over 11 yearsThanks! So am I right in saying that with your example at Oct 16 10:00:00 2016 GMT the browsers would then kick up a fuss saying the certificate is no longer valid? Just wanna be crystal clear!
-
CYMR0 over 11 yearsThanks! Yeah, I know. I even reminded said profesional organisation about it a month ago. They're saying that the expiry time doesn't matter though, and that it is only the following day, that the certificate expires and browsers complain.
-
John Gardeniers over 11 years@CYMR0, whether or not browsers complain based on the time may well be browser dependant.
-
MadHatter over 11 yearsThat's client-dependent (ie, it's up to the browser), but it's certainly what you'd expect a well-behaved browser to do. If your suppliers claim certificates expire on a day, they're wrong; they expire on a second, as I've shown. But if they claim that some browsers don't care until the following day, they should be asked which browsers, and for some proof.