Hi , i just encountered a certificate which gets logged days before it got issued . how is it possible ?
1 Like
The “Not before” date doesn’t have to be the date the certificate was issued.
1 Like
ok @Osiris it means it took days for CA to issue the certificate for request ? am i wrong ?
1 Like
Late registration ?
Looks like basically issued a cert that would be valid anytime this year (only).
But it doesn’t really say exactly when it was issued… or does it?
1 Like
sorry @rg305 i didnt get what you said ?
1 Like
It means the CA just set the dates to those dates they specifically wanted.
It looks like it's the certificate of one of Let's Encrypts own Certificate Logssystems. Let's Encrypt can sign their certificates the way they wanted. They themselves are not limited to the specific rules we are. Like, when we want a certificate from Let's Encrypt, almost everything from the CSR is ignored. We're getting a certificate with a validity of 90 days from the moment Let's Encrypt issues it (minus one hour for clock drift I think). However, Let's Encrypt doesn't have to apply those rules to themselves. They can issue certificates in the future like this one if they'd like.
By the way, it's issued by this root certificate: crt.sh | 1476662614 Probably the one place that certificate is valid, is in the Certificate Log itself and perhaps other LE logs 
1 Like
@arjunnkn I don't see what you mean when you say:
I click the link you provided but I don't see what you see.
Can you post a picture?
@rg305 Check the date the certificate was logged. Way before the “Not before” date. @arjunnkn assumed this was not possible, because as I read it, he thought the “Not before” date was the date the certificate was issued. But that isn’t necessarily the case.
1 Like
Ok now I understand your point.
But I don’t see the “crime”.
Like what if the whole thing was in the past…
Logged today for a cert that was valid only last year.
How it that a bad thing?
At least there is an entry of its’ existence.
“Better late than never.”
1 Like
You've got it backwards. It was logged in February 2019. It's valid the year 2020.
1 Like
OH SNAP!
My eyes are deceiving me!
This is 2020 but my eyes aren't 20/20!!!
2 Likes
So …
I’m going to give you a cert today…
But it will only be good next year - all year - anytime… NEXT YEAR.
Yeah, weird…
But is that a “crime” ? ? ?
1 Like
By the way, interesting thing I found in the CA/B Forum BR in a specific definition:
Validity Period: The period of time measured from the date when the Certificate is issued until the Expiry
Date.
Notice the use of "is issued".
And in section 6.3.2 we see:
6.3.2. Certificate Operational Periods and Key Pair Usage Periods
Subscriber Certificates issued after 1 March 2018 MUST have a Validity Period no greater than 825 days.
Subscriber Certificates issued after 1 July 2016 but prior to 1 March 2018 MUST have a Validity Period ngreater than 39 months.
So in essence, the "Not after" date is calculated from the day the certificate was ISSUED and NOT the "Not Before" date?
No. Like I said, I think @arjunnkn just misinterpreted the "Not before" date as the date of issuance, but that isn't necessarily true. It would of course be impossible to log a certificate which wasn't even issued until the future. However, it's perfectly possible to issue a certificate now with the "Not Before" date in the future. But that requires the understanding that "Not before" is not the same as "date of issuance".
2 Likes
So the only real “limit” is the END DATE.
Which can’t be more than 825 days into the future from the date it was issued.
Regardless of START DATE.
1 Like
I think that’s how you should interpret the BR yes.
Not an issue for most certificates, but it means you can’t issue a (subscriber!) certificate with a lifetime of 365 days more than 1 year and 3 months and 5 days into the future.
1 Like
@Osiris @rg305 on my log parser another certificate gets logged see
No you cannot use it before start date too
1 Like
Nothing strange about that one, right?
I did see something strange however on the certificate you first mentioned: it's logged by the 2020 Oak CT log, but its timestamp is in 2019? I didn't see it was the 2020 shard of the Oak log before..
@Osiris if you dont mind can we discuss as i am not completely satisfied yet ??
Please do, what did you want to discuss about that second certificate?