[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[iaik-ssl] What to do with expired CA certificates?

The (default) ChainVerifier does not allow certificate chains to contain any certificate that has expired. When a chain is verified with a user certificate that has not expired, and a CA certificate this has expired, the chain is rejected.
Although this makes sense, it is very common that one of the CA certificates in a certificate chain has expired. Can anyone tell me how to handle in these situations? Should I make a ChainVerifier that ignores expirydates of all CA certificates, and only validates the expiry date of the user certificate? Or should I obtain a valid CA certificate, and then continue verifying? If so, where can these certificates be obtained?


Tom van den Berge                                tom.vandenberge@bibit.com
Development                                          V +31 (0)30 65 65 665
Bibit Billing Services BV                            F +31 (0)30 65 64 464
Kosterijland 70-78                                           www.bibit.com
3981 AJ Bunnik
The Netherlands