Menu
Is there any command line flag(s) to enable Java to permit expired certificates?
Right now I'm getting the following exception as the Certificate is expired.
Caused by: java.security.cert.CertificateExpiredException: NotAfter: {PAST DATETIME}
at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602)
at org.apache.ws.security.validate.SignatureTrustValidator.validateCertificates(SignatureTrustValidator.java:103)
I've tried the following command line flag which doesn't ignore Certificate Expiration check
-Dcom.sun.net.ssl.checkRevocation=false
Our application is running in tomcat under path /myapplication. So I created another application /ignorecertificate and deployed in same Tomcat's webapp folder. As per the accepted answer in this question, I run the following code in startup of /ignoreexpired application.
// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
}
}
};
// Install the all-trusting trust manager
try {
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
} catch (Exception e) {
e.printStackTrace();
}
Since both applications were deployed in same tomcat, I expected /myapplication to ignore certificate expiration check / exception (Bcoz both applications share the same java instance). But still it's not working. I run this ignore code in another application(/ignoreexpired) coz I don't want to make any changes in my current application(/myapplication).
497
To do so, click Start, then go to the Control Panel. Once the Control Panel window is displayed, look for the Java icon and double click it. Right click over the above text and select "Copy". Then, go to the command prompt you just opened up, and right click in the middle of the window and select "Paste".
The steps to install a new certificate into the Java default truststore are: extract cert from server: openssl s_client -connect server:443. import certificate into truststore using keytool: keytool -import -alias alias.server.com -keystore $JAVA_HOME/jre/lib/security/cacerts.
-Dcom.sun.net.ssl.checkRevocation=false
This option (with some additional config) allows online check to the certificate issuer on the revocation status of the certificate. Not what you're looking for.
Since both applications were deployed in same tomcat, I expected /myapplication to ignore certificate expiration check / exception
Applications run in different JVM context. Changes in TrustManager of /ignoreexpired application will not affect the other one.
You can include the expired certificate in the truststore used by JVM. I think the TrustoreManager will not check expiration on certificates expressly included in the trust store. Create a JKS using keytool or GUI KeyStore explorer, insert the certificate (the final certificate, not the root) and use it globally in tomcat through
-Djavax.net.ssl.trustStore=/path/to/truststore
-Djavax.net.ssl.trustStorePassword=truststorepassword
You can also update the default JVM truststore at jre/lib/security/cacerts
131
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
