4

The JWT Spec (RFC 7519) has an issued at field ("iat"). Does x509 have any analogous value? I see a Validity field, but nothing else time related.

jtpereyda
  • 1,430
  • 2
  • 16
  • 26

2 Answers2

3

X.509 has a Not Before and a Not After field which describes when the certificate is valid to use for the defined purpose. The Not Before usually matches about the time when the certificate was issued but it is not required to do so.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • It sounds like the distinction was not made or not considered important for x509's purposes when it was written. – jtpereyda Jan 08 '18 at 22:42
1

RFC 5280 does not provide a distinct field specifying the issuance date of a certificate.

If you really need that information though, you can check a Certificate Transparency logs for that certificate. They are not necessarily perfect either, but they give you a definitive issuedNotAfter time. Take the logs for the current google.com certificate. The certificate states a notBefore date of Dec 13 13:51:18 2017 GMT, while the CT timestamp indicates that the certificate was probably signed about 40 minutes after that date.

mat
  • 1,243
  • 7
  • 14