问题
My client is failing with the below error while communicating with a https server with an expired cert. While we are in the process of waiting that to be fixed on the server side by renewing, I am wondering if we can by pass this error by adding the expired cert to our own trust store? This allows us to gain some testing time while waiting for the cert to be renewed.
US has an end date Thu Sep 08 19:59:59 EDT 2011 which is no longer valid.
[4/17/13 19:22:55:618 EDT] 00000021 SystemOut O WebContainer : 0, SEND TLSv1 ALERT: fatal, description = certificate_unknown
[4/17/13 19:22:55:620 EDT] 00000021 SystemOut O WebContainer : 0, WRITE: TLSv1 Alert, length = 2
[4/17/13 19:22:55:620 EDT] 00000021 SystemOut O WebContainer : 0, called closeSocket()
[4/17/13 19:22:55:620 EDT] 00000021 SystemOut O WebContainer : 0, handling exception: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=Thawte SSL CA, O="Thawte, Inc.", C=US is not trusted; internal cause is:
回答1:
Use the following code to trust all certificates. Note: Do not use it in the production
try {
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(new KeyManager[0], new TrustManager[] { new X509TrustManager() {
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String name) throws CertificateException {}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String name) throws CertificateException {}
@Override
public X509Certificate[] getAcceptedIssuers() {
return null;
}
} }, new SecureRandom());
SSLContext.setDefault(ctx);
} catch (Exception e) {
throw new RuntimeException(e);
}
来源:https://stackoverflow.com/questions/16072184/trusting-an-expired-certificate