Sidebar

How can I set my https listeners to check certificate expiration?

0 votes
241 views
asked Dec 1, 2015 by brandon-w-8204 (31,300 points)
I need to set my source http litenser to not trust expired certificates. Can I set QIE to do this?  When I trust a new certificate, but the old expired certificate is presented, QIE trusts it and allows it to make the connection.

1 Answer

0 votes

By default the Oracle JRE uses their own 'SunX509' certificate validator.  This validator does not validate the expiration of the certificate by default if the certificate is explicitly trusted.  It checks that the certificate key presented matches the certificate in the trust store and if it does match, it will always accept the certificate presented even if the presented certificate is expired.

The simplest fix for this is to switch to the PKIX certificate validator.  This validator will always validate the expiration date of certificates presented to QIE.  The validator can be enabled by adding the following java option to QIE.

-Dssl.TrustManagerFactory.algorithm=PKIX

answered Dec 1, 2015 by ben-s-7515 (11,430 points)
...