0

Using Java and Playframework.

My only example is facebook. I store the x509 certificate in my keystore. Eventually (at least once every 10-12 months) the certificate expires and i use openssl to go grab the new one and update the keystore using keytool. Sometimes when I am trying to get the new certificate from the facebook server it doesn't get the new one (likely I imagine because they are updating on all of their different servers/instances).

Either way, this makes it so that I won't be able to allow the use of the facebook login on my site temporarily as I try to retrive and update the certificate.

I have found ways to get the certificate from a request here Get certificate and add it to a Java truststore, when only having https URL? and then save it programatically without keytool here Programmatically Import CA trust cert into existing keystore file without using keytool

I obviously have a lack of understanding as to best practices, but how do others tackle this problem?

Essentially what I am looking for is a way to make it so that there isn't an interrupt in the ability to use facebook login while I am updating the certificate. Or minimizing the interrupt.

Community
  • 1
  • 1
compdrew
  • 1
  • 1
  • Please add more information what problem you are trying to solve. Do you have a website which needs an x509 certificate to authorize users via facebook? On what language it is written and what framework is used? You also say that you have a working solution for certificate retrieval, but sometimes it does not work. How exactly it does not work? May be it is the problem that should be fixed? – Alexey Guseynov Sep 28 '16 at 16:41
  • I am using Java and Playframework. The part that sometimes doesn't work is the openssl to get the new certificate. Sometimes it will return the old one still until what I imagine is them finishing the updating of the certificates on their servers/instances. – compdrew Sep 28 '16 at 16:56
  • Can you try updating certificate before it expires, for example a week before it expires. Then you will have plenty of time if something goes wrong. Particularly you will be able to try get new certificate again and again without service interruption. – Alexey Guseynov Sep 28 '16 at 17:02
  • It tends to be unexpected, up to a month before the actual expiration date on the certificate. I was thinking I could just have a small process that runs checking the certificate every day to see if it has changes, but that seems like it might not be the best way to do it – compdrew Sep 28 '16 at 17:04

0 Answers0