7

Is there any command line flag(s) to enable Java to permit expired certificates?

Right now I'm getting the following exception as the Certificate is expired.

Caused by: java.security.cert.CertificateExpiredException: NotAfter: {PAST DATETIME}
at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:602)
at org.apache.ws.security.validate.SignatureTrustValidator.validateCertificates(SignatureTrustValidator.java:103)

I've tried the following command line flag which doesn't ignore Certificate Expiration check

-Dcom.sun.net.ssl.checkRevocation=false

Our application is running in tomcat under path /myapplication. So I created another application /ignorecertificate and deployed in same Tomcat's webapp folder. As per the accepted answer in this question, I run the following code in startup of /ignoreexpired application.

// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[]{
    new X509TrustManager() {
        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
            return null;
        }
        public void checkClientTrusted(
            java.security.cert.X509Certificate[] certs, String authType) {
        }
        public void checkServerTrusted(
            java.security.cert.X509Certificate[] certs, String authType) {
        }
    }
};

// Install the all-trusting trust manager
try {
    SSLContext sc = SSLContext.getInstance("SSL");
    sc.init(null, trustAllCerts, new java.security.SecureRandom());
    HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
} catch (Exception e) {
    e.printStackTrace();
}

Since both applications were deployed in same tomcat, I expected /myapplication to ignore certificate expiration check / exception (Bcoz both applications share the same java instance). But still it's not working. I run this ignore code in another application(/ignoreexpired) coz I don't want to make any changes in my current application(/myapplication).

Community
  • 1
  • 1
The Coder
  • 2,562
  • 5
  • 33
  • 62
  • The coder, you should accept his answer, it's a pretty good and informative one! I know you likely just forgot considering your reputation, lol. – JGlass Apr 12 '19 at 19:21

1 Answers1

7
-Dcom.sun.net.ssl.checkRevocation=false

This option (with some additional config) allows online check to the certificate issuer on the revocation status of the certificate. Not what you're looking for.

Since both applications were deployed in same tomcat, I expected /myapplication to ignore certificate expiration check / exception

Applications run in different JVM context. Changes in TrustManager of /ignoreexpired application will not affect the other one.

You can include the expired certificate in the truststore used by JVM. I think the TrustoreManager will not check expiration on certificates expressly included in the trust store. Create a JKS using keytool or GUI KeyStore explorer, insert the certificate (the final certificate, not the root) and use it globally in tomcat through

-Djavax.net.ssl.trustStore=/path/to/truststore
-Djavax.net.ssl.trustStorePassword=truststorepassword

You can also update the default JVM truststore at jre/lib/security/cacerts

pedrofb
  • 37,271
  • 5
  • 94
  • 142
  • 2
    Man, I totally did not know this neither did my manager/java coding boss but you are completely right. Tested with JDK8 with `-Djavax.net.debug=all` and I could see that the expired cert was found and also trusted! Thanks! – JGlass Apr 12 '19 at 19:19
  • 1
    @JGlass thank you for the "-Djavax.net.debug=all" part. So good to see all handshaking during these corona time ;) – Ramsharan Aug 10 '20 at 11:49