The (default) ChainVerifier does not allow certificate chains to contain any certificate that has expired. When a chain is verified with a user certificate that has not expired, and a CA certificate this has expired, the chain is rejected.
Although this makes sense, it is very common that one of the CA certificates in a certificate chain has expired.
Can anyone tell me how to handle in these situations? Should I make a ChainVerifier that ignores expirydates of all CA certificates, and only validates the expiry date of the user certificate?
Or should I obtain a valid CA certificate, and then continue verifying? If so, where can these certificates be obtained?
Dr. Peter Lipp
IAIK, TU Graz
Inffeldgasse 16a, A-8010 Graz, Austria
Tel: +43 316 873 5513
Fax: +43 316 873 5520