Summary

This article contains information regarding limitations when importing an external CA certificate chain into BoKS, either with the command 'cacreds set' or using FCC.

For more information on how to use BoKS with external CA, see KB #11053.


Reference Information

BoKS version 7.1 and older does not correctly handle certificates that expire beyond Jan 19, 2038. This is because the expiration date is stored as a 32-bit signed integer and this number is interpreted as the number of seconds since 00:00:00 UTC on 1 January 1970 (the epoch). This means it cannot encode dates after 03:14:07 UTC on 19 January 2038.

If you try to import such a certificate, the operation fails with an error

BoKS # cacreds set -f sample_prod_cert_long_validity.cer -c VERIFY

cacreds: Failed to parse certificate

The workaround is to only use certificates that expire before Jan 19, 2038. If the corporate CA intended to be used has a longer expiration date then the only solution is to use the internal BoKS CA to issue host certificates.


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: March 21, 2019