Recently, we hit upon an very interesting(!?!) problem using Keytool inside our application.

We have a customer in Thailand who complained that the self-signed certificates generated in our application(which in turns uses Keytool) have got the Certificate “Valid From” Date and “Valid To” dates completely wrong.

The catch here is that Thai Calendar Year is 543 years ahead of the Julian Calendar. In other words, year 2006 in English Calendar is equivalent to year 2549 in Thailand Calendar.

Lets say I generate a self-signed certificate using Keytool with my machine running on Thai Locale, the Year portion of “Valid From” should be stamped as 2549(2006 is the current year + 543).

And if the validity of the certificate is 3 years, then the Year of Expiry is 2552.

But, Keytool just ignores this whole difference in the Calendars and lives with the all famous Y2K Bug!!!

The Certificate would show as Valid from 2049 to 1952!!! Howzzat???

Any amount of googling thru the java sun forums and other newsgroups, I could not find anything that talks about this problem/behavior.

Am I missing something big here??? Hope some one some day will help me resolve this mystery!

I am giving the exact keytool syntax I used for easy reference for anyone who would like to try this out 🙂

1. Generate Self Signed Certificate
keytool -genkey -keyalg rsa -sigalg sha1withrsa -keysize 1024 -storetype jceks -validity 1095 -storepass storepass -keypass keypass -dname CN=MyName,O=MyOrganization,OU=MyDepartment ST=Karnataka,L=Bangalore,C=IN -keystore test.jceks

2. Export the Certificate in .der format
keytool -export -file cert.der -keystore test.jceks -storetype jceks -storepass storepass