[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: [iaik-ssl] What to do with expired CA certificates?

The (default) ChainVerifier does not allow certificate chains to contain any certificate that has expired. When a chain is verified with a user certificate that has not expired, and a CA certificate this has expired, the chain is rejected.
Although this makes sense, it is very common that one of the CA certificates in a certificate chain has expired.  
According to the PKIX-conventions, this case is not "allowed" and our verifier sticks to this.
 Can anyone tell me how to handle in these situations? Should I make a ChainVerifier that ignores expirydates of all CA certificates, and only validates the expiry date of the user certificate?  
If our verifier does not suit your needs, you need to either write your own, use our trustmanager (that still is in beta and a release date is not set yet) or clean up the certificates.
 Or should I obtain a valid CA certificate, and then continue verifying? If so, where can these certificates be obtained?  
Which ones? Go to the CA that issued the certificates, they should have them - especially if they are self signed...

Dr. Peter Lipp
Inffeldgasse 16a, A-8010 Graz, Austria
Tel: +43 316 873 5513
Fax: +43 316 873 5520
Web: www.iaik.at