Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

how to check SSL certificate expiration date programmatically in Java

I need to extract expiration date from SSL certificate on web site in Java,should support both trusted and self-signed certificate,such as: 1.trusted https://github.com 2.self-signed https://mms.nw.ru/

I already copy some code as:

import java.net.URL;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;

public class SSLTest {

    public static void main(String [] args) throws Exception {
        // configure the SSLContext with a TrustManager
        SSLContext ctx = SSLContext.getInstance("TLS");
        ctx.init(new KeyManager[0], new TrustManager[] {new DefaultTrustManager()}, new SecureRandom());
        SSLContext.setDefault(ctx);

        URL url = new URL("https://github.com");//https://mms.nw.ru
        HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
        conn.setHostnameVerifier(new HostnameVerifier() {
            @Override
            public boolean verify(String arg0, SSLSession arg1) {
                return true;
            }
        });
        System.out.println(conn.getResponseCode());
        Certificate[] certs = conn.getServerCertificates();
        for (Certificate cert :certs){
            System.out.println(cert.getType());
            System.out.println(cert);
        }

        conn.disconnect();
    }

    private static class DefaultTrustManager implements X509TrustManager {

        @Override
        public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}

        @Override
        public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}

        @Override
        public X509Certificate[] getAcceptedIssuers() {
            return null;
        }
    }
}

The questions are:

  1. How to parse the expiration date from the certificate, in my code the toString() did output the date,but it is hard to parse.

  2. How to determine the certificate chain, eg, the github certificate with chains 3, how did i know which certificate to get the expiration date from?

like image 505
Simon Wang Avatar asked Oct 19 '12 03:10

Simon Wang


People also ask

How can I check SSL certificate expiry date?

Chrome has made it simple for any site visitor to get certificate information with just a few clicks: Click the padlock icon in the address bar for the website. Click on Certificate (Valid) in the pop-up. Check the Valid from dates to validate the SSL certificate is current.

How can I check when my SSL certificate expires in JBoss?

The TLS/SSL certificate used for SSL in JBoss is stored in APPSRV_HOME/standalone/configuration/keystore/keystore. jks. The default validity time for the SSL certificate is two years. When this expire, you must generate a new one.

What time does an SSL certificate expire?

TLS/SSL certificates cannot be issued for more than 13 months (397 days), as announced by popular browsers, like Google and Apple at CA/Browser Forum in March 2020. This has reduced the certificate validity period from three or two to just over a year.


1 Answers

How to parse the expiration date from the certificate

Cast it to an X509Certificate and call getNotAfter().

How to determine the certificate chain, eg, the github certificate with chains

You've got it. That's what the Certificate[] array is, as it says in the Javadoc.

How did i know which certificate to get the expiration date from?

Read the Javadoc. "The peer's own certificate first followed by any certificate authorities".

However I don't know why you're doing any of this. Java should already do it all for you.

And please throw away that insecure and incorrect TrustManager implementation. The correct way to handle self-signed certificates is to import them into the client truststore. Please also throw away your insecure HostnameVerifier, and use the default one, or a secure one. Why use HTTPS at all if you don't want it to be secure?

like image 155
user207421 Avatar answered Oct 03 '22 23:10

user207421