How can I set my https listeners to check certificate expiration?

Question

I need to set my source http litenser to not trust expired certificates. Can I set QIE to do this?  When I trust a new certificate, but the old expired certificate is presented, QIE trusts it and allows it to make the connection.

Answer 1

By default the Oracle JRE uses their own 'SunX509' certificate validator.  This validator does not validate the expiration of the certificate by default if the certificate is explicitly trusted.  It checks that the certificate key presented matches the certificate in the trust store and if it does match, it will always accept the certificate presented even if the presented certificate is expired.

The simplest fix for this is to switch to the PKIX certificate validator.  This validator will always validate the expiration date of certificates presented to QIE.  The validator can be enabled by adding the following java option to QIE.

-Dssl.TrustManagerFactory.algorithm=PKIX