Trusting an expired self-signed certificate while calling a webservice

Question

There is a webservice protected by a certificate. In the client code which calls it, the certificate's CA has to present in the truststore (JRE_path\lib\security\cacerts) - if not, you get the PKIX exception on the client side.

What happens if the certificate has expired - the the client code fails.

However, this can be bypassed by adding the certificate directly into the truststore - Trusting an expired certificate

i.e. if the certificate itself and not the CA is present in the truststore, then everything works even if the certificate has expired.

In my scenario, the webservice certificate is a self-signed one, so I anyway had to add it to the truststore, and the client continues to work fine even when the cert has expired.

Now my question is will this work in all scenarios - my program is just a command line program running of a local JRE.

In case there is an application calling the webservice and the application is running on Websphere, JBoss, WebLogic, Tomcat, Glassfish etc and the self signed cert is added to truststore of that environment, can I still assume that it will continue to work (not give expired errors)?

I assume it would work - because those application servers would also use a JRE just like any program - or am I missing something?

Answer 1

You can bypass all certificates by below code

try {
            TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
                public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                    return null;
                }

                public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {
                }

                public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {
                }
            } };
            SSLContext sc = SSLContext.getInstance("SSL");
            sc.init(null, trustAllCerts, new java.security.SecureRandom());

            HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
            HostnameVerifier allHostsValid = new HostnameVerifier() {
                public boolean verify(String hostname, SSLSession session) {
                    return true;
                }
            };
            SSLContext.setDefault(sc);
            HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
            LOGGER.debug("All Certificates Have Been Trusted Successfully.");
        } catch (KeyManagementException ex) {
            LOGGER.error("Error:",ex);
        } catch (NoSuchAlgorithmException ex) {
            LOGGER.error("Error:",ex);
        } 

Answer 2

To answer your question: "If I add a self signed certificate to the trust store, will the certificate still be trusted after it's expired - or will it throw an exception?"

It will still be trusted (at least within java's cacerts trust store). See https://softwareengineering.stackexchange.com/a/308538