Ability to generate a Certificate with a Valid From Date in the Past?

Hello,

Does LetsEncrypt have the ability to generate a certificate with a “Valid From” date that is in the past?

For example, generating a Valid From Date in July 2016 instead of July 2017.

Is this possible?

Hi @erikpasta,

No, it is not possible to control the "Not Before" or "Not After" dates of the certificates issued by Let's Encrypt. The Not Before date is automatically backdated 1 hour from issuance but it is not configurable. Similarly the Not After date is set to 90 days from the time of issuance and is not configurable.

I don't have a definitive reference at hand but I don't think any browser trusted CA will be able to fulfill this request. I believe the CA Browser Forum (CABF) baseline requirements prohibit back dating to this extent.

I’m almost positive that this is not possible. LE certs have a 90-day validity period and are already back-dated by an hour to account for inaccurate system clocks. What use case are you trying to accomplish with a cert back-dated by a year?

1 Like

This may have changed, but it’s actually not prohibited, as far as i know. Backdating certificates for purposes of cheating rules (e.g. issuing SHA-1 after 2015-12-31) is unacceptable, but in general CAs are just encouraged to behave reasonably.

https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Backdating_the_notBefore_Date

2 Likes

That may be the case! Unfortunate :-/

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.