2.7 Certificate start and expiry times
MyID requests certificate lifetimes on a "days from now" basis. However, Symantec MPKI uses specific times for certificate start and end dates.
There are some considerations that you should be aware of when requesting certificates, particularly where the exact timing of their validity may be important:
-
All MPKI issuance is from midnight on the first day of the requested certificate.
-
All MPKI expiry dates are just before midnight on the last day of the requested period.
-
All times are UTC. (You may see dates and times on certificates in other time zones, but the underlying time zone for all CA operations is UTC.)
-
MPKI can be configured to disallow MyID's ability to override validity.
-
You cannot issue a one-day certificate; you can, however, issue a two-day certificate.
This also means that the lifetime of the certificate may not match the lifetime of the card; MyID's lifetimes are based on the time of issuance, while MPKI's lifetimes are based on midnight UTC.
Some example situations:
|
Requested lifetime |
Card start date |
Card expiry date |
Certificate start date |
Certificate expiry date |
Result |
|---|---|---|---|---|---|
|
1 day |
2018-05-24 12:57:51.523 |
2018-05-25 12:57:50.000 |
|
|
MyID rejects the certificate request. |
|
2 day |
2018-05-24 14:26:56.983 |
2018-05-26 14:26:55.000 |
2018-05-24 00:00:00.000 |
2018-05-25 23:59:59.000 |
|
|
365 days |
2018-05-24 14:40:15.187 |
2019-05-24 14:40:14.000 |
2018-05-24 00:00:00.000 |
2019-05-23 23:59:59.000 |
|
|
970 days |
2018-05-24 15:04:50.327 |
2021-01-18 15:04:49.000 |
2018-05-24 00:00:00.000 |
2021-01-17 23:59:59.000 |
|
|
1234 days |
2018-05-24 15:18:41.877 |
2021-10-09 15:18:41.000 |
|
|
Certificate failure A6011 |