Please answer these questions before submitting your issue. Thanks!

1. What version of Go are you using (go version)?

go version go1.7rc6 linux/amd64

1. What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/jeff/go"
GORACE=""
GOROOT="/home/jeff/src/go"
GOTOOLDIR="/home/jeff/src/go/pkg/tool/linux_amd64"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build147682720=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"

1. What did you do?

The CreateCRL function takes the given revoked certificate list and passes it straight to the asn1 package for marshaling. The asn1 package encodes time.Time values with offsets.

However, per RFC 5280 section 5.1.2.6, revocation time values must be expressed as described in https://tools.ietf.org/html/rfc5280#section-5.1.2.4 which itself indicates that the time must be expressed as defined in https://tools.ietf.org/html/rfc5280#section-4.1.2.5.1 -- and here, it specifies that all such times must be UTC.

Allowing CRLs to be created with non-UTC time values is not-RFC compliant. At worst, this is probably a documentation issue -- the docs should warn the caller that all times must be UTC. At best, the code would walk through the list of revoked certificates and ensure that the time values contained within are in UTC.

1. What did you expect to see?

CRLs created with time zones that are disallowed per RFC.

1. What did you see instead?

CRLs created with time zones that are allowed per RFC.