What if trustStore certificate expires?

StackOverflow https://stackoverflow.com/questions/22253862

Question

What excepttions I will/may recive if certificates stored in java trust store expires? Will I certantly recive exception accessing certified resource? Under what circumstances there will be no exceptions?

Was it helpful?

Solution

If a certificate in the trust store expires, and is not replaces with an updated version with the same subject and key, it will be discarded for the purpose of building the certification path, so you'll get an javax.net.ssl.SSLHandshakeException (coming from "PKIX path building failed...").

If you look at the JSSE Reference Guide (trust manager section), it relies on the CertPath API (which implements what's needed to verify the date/time).

The default PKIX trust manager implements RFC 3280, which requires all certificates in the chain to be valid at the current date/time. See section 6.1:

The algorithm presented in this section validates the certificate with respect to the current date and time.

and

(d) for all x in {1, ..., n}, the certificate was valid at the time in question.

If you want to bypass this, you can implement your own trust manager (although it's generally not recommended, since you'd weaken the default algorithm).

OTHER TIPS

I would expect an expired certificate to not be used by the system. So to your code, it should behave as though not found at all.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top