[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[iaik-ssl] What to do with expired CA certificates?
The (default) ChainVerifier does not allow certificate chains to contain
any certificate that has expired. When a chain is verified with a user
certificate that has not expired, and a CA certificate this has expired,
the chain is rejected.
Although this makes sense, it is very common that one of the CA certificates
in a certificate chain has expired. Can anyone tell me how to handle in
these situations? Should I make a ChainVerifier that ignores expirydates
of all CA certificates, and only validates the expiry date of the user
certificate? Or should I obtain a valid CA certificate, and then continue
verifying? If so, where can these certificates be obtained?
Tom van den Berge email@example.com
Development V +31 (0)30 65 65 665
Bibit Billing Services BV F +31 (0)30 65 64 464
Kosterijland 70-78 www.bibit.com
3981 AJ Bunnik