Reputation: 2632
Enable Java to permit expired certificate
Is there any command line flag(s) to enable Java to permit expired certificates?
Right now I'm getting the following exception as the Certificate is expired.
Caused by: java.security.cert.CertificateExpiredException: NotAfter: {PAST DATETIME}
at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602)
at org.apache.ws.security.validate.SignatureTrustValidator.validateCertificates(SignatureTrustValidator.java:103)
I've tried the following command line flag which doesn't ignore Certificate Expiration check
-Dcom.sun.net.ssl.checkRevocation=false
Our application is running in tomcat under path /myapplication. So I created another application /ignorecertificate and deployed in same Tomcat's webapp folder. As per the accepted answer in this question, I run the following code in startup of /ignoreexpired application.
// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
}
}
};
// Install the all-trusting trust manager
try {
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
} catch (Exception e) {
e.printStackTrace();
}
Since both applications were deployed in same tomcat, I expected /myapplication to ignore certificate expiration check / exception (Bcoz both applications share the same java instance). But still it's not working. I run this ignore code in another application(/ignoreexpired) coz I don't want to make any changes in my current application(/myapplication).
Upvotes: 8
Views: 26380
Answers (1)
Reputation: 39251
-Dcom.sun.net.ssl.checkRevocation=false
This option (with some additional config) allows online check to the certificate issuer on the revocation status of the certificate. Not what you're looking for.
Since both applications were deployed in same tomcat, I expected /myapplication to ignore certificate expiration check / exception
Applications run in different JVM context. Changes in TrustManager of /ignoreexpired application will not affect the other one.
You can include the expired certificate in the truststore used by JVM. I think the TrustoreManager will not check expiration on certificates expressly included in the trust store. Create a JKS using keytool or GUI KeyStore explorer, insert the certificate (the final certificate, not the root) and use it globally in tomcat through
-Djavax.net.ssl.trustStore=/path/to/truststore
-Djavax.net.ssl.trustStorePassword=truststorepassword
You can also update the default JVM truststore at jre/lib/security/cacerts
Upvotes: 9
Related Questions
- added certificate to java keystore, still error
- Checking certificates expiration dates in java keystore
- java - ignore expired ssl certificate
- Java code to display expiration date of certificates in a Java KeyStore
- extend keystore certificate validity time
- Extending expiration date of trustedCertEntry within a keystore
- Import expired SSL certificate into Java keystore
- How do I accept an expired ssl certificate with Apache client?
- How to make Java "trust" an expired certificate?
- Java SSL/TLS ignore expired cert? (java.security.cert.CertPathValidatorException: timestamp check failed)