Java trustmanager behavior on expired certificates

Question

Does java\'s TrustManager implementation ignore if a certificate has expired?
I tried the following:
- Using keytool and parameter -startdate \"1

Answer 1

I've just had a similar issue myself while overriding checkServerTrusted.

Turns out that if you need to check expiration you can call X509Certificate.checkValidity() and it will throw either a CertificateExpiredException or a CertificateNotYetValidException. Both of these extend CertificateException so they can be happily thrown by checkServerTrusted.

To solve your problem you could implement a new X509TrustManager which creates your original instance in its constructor, implements all methods as calls to the original instance, and adds a call to checkValidity for each certificate in certs[] inside checkServerTrusted.

Answer 2

I did not try your example, but I now I regularly have to regenerate my server certificates (for our development server) since their certificates have quite short validity times.

In our case the client does not have the server certificates themselves in the truststore, but only the certificate of our CA (with longer validity), and when the client tries to connect to the server, both sides get a SSLException (which may be wrapped in another exception in your case).

I guess that the trust manager assumes something like "if you give me expired certificates to trust in, I'll do it". Try our approach instead (it also saves you to update the client each time the server certificate expires).

Answer 3

I believe IBM's JSSE checks for expiry while Sun's does not.