[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: [iaik-ssl] What to do with expired CA certificates?


there is a known issue with server certificates issued by an alreay expired
but meanwhile reissued Verisign certificate. The expired certificate is sent
and browsers already having access to the re-issued certificate accept the
chain. You may extend the ChainVerfier to accept the reissued cert. The most
simple approach may be to override method verifyChain for "replacing" any
supplied cert having a reissued equivalent already in the trust cache,
something like:

public boolean verifyChain(X509Certificate[] certs, SSLTransport transport)
    if (certs == null) {
       return super.verifyChain(certs, transport);
    } else

       int len = certs.length;
       for (int i = 0; i < len; i++) {
         X509Certificate tmpCert = (X509Certificate)certs[i];
         // is the an equivalent cert in the cache?:
         X509Certificate cachedCert =
         // replace the cert:
         if (cachedCert != null) {
           certs[i] = cachedCert;
       // now let the old Verifier verify the chain
       return super.verifyChain(certs, transport);

This would replace a cert immediately in the supplied chain. You either may
use a temporary array to be verified by the old chain verifier. Or you may
implement a more sophisticated strategy.

Another way might be to add cert[0] to the trust cache of the old standard
chain verifier. In this case the certificate should be accepted since
verification stops when finding a trusted cert in the cache.

Dieter Bratko
-----Ursprüngliche Nachricht-----
Von: iaik-ssl-owner@iaik.tu-graz.ac.at
[mailto:iaik-ssl-owner@iaik.tu-graz.ac.at]Im Auftrag von Tom van den Berge
Gesendet: Mittwoch, 2. August 2000 13:41
An: iaik-ssl@iaik.tu-graz.ac.at
Betreff: [iaik-ssl] What to do with expired CA certificates?

The (default) ChainVerifier does not allow certificate chains to contain any
certificate that has expired. When a chain is verified with a user
certificate that has not expired, and a CA certificate this has expired, the
chain is rejected.
Although this makes sense, it is very common that one of the CA certificates
in a certificate chain has expired. Can anyone tell me how to handle in
these situations? Should I make a ChainVerifier that ignores expirydates of
all CA certificates, and only validates the expiry date of the user
certificate? Or should I obtain a valid CA certificate, and then continue
verifying? If so, where can these certificates be obtained?
Tom van den Berge                                tom.vandenberge@bibit.com
Development                                          V +31 (0)30 65 65 665
Bibit Billing Services BV                            F +31 (0)30 65 64 464
Kosterijland 70-78                                           www.bibit.com
3981 AJ Bunnik
The Netherlands