Trusting an expired self-signed certificate while calling a webservice

Asked 2/7, 2015 at 10:14 Answered 7/6, 2018 at 23:28

java web-services pki truststore appserver

There is a webservice protected by a certificate. In the client code which calls it, the certificate's CA has to present in the truststore (JRE_path\lib\security\cacerts) - if not, you get the PKIX exception on the client side.

What happens if the certificate has expired - the the client code fails.

However, this can be bypassed by adding the certificate directly into the truststore - Trusting an expired certificate

i.e. if the certificate itself and not the CA is present in the truststore, then everything works even if the certificate has expired.

In my scenario, the webservice certificate is a self-signed one, so I anyway had to add it to the truststore, and the client continues to work fine even when the cert has expired.

Now my question is will this work in all scenarios - my program is just a command line program running of a local JRE.

In case there is an application calling the webservice and the application is running on Websphere, JBoss, WebLogic, Tomcat, Glassfish etc and the self signed cert is added to truststore of that environment, can I still assume that it will continue to work (not give expired errors)?

I assume it would work - because those application servers would also use a JRE just like any program - or am I missing something?

Ardyce answered 2/7, 2015 at 10:14 Comment(4)

If you don't want it secure, don't use HTTPS. If you do want it secure, don't try to cherry-pick your own security features. – Nava 2/7, 2015 at 10:25

like @EJP said: it is usually not a good idea to weaken security. But often we as programmers too have to prevent applications from failing silently. So you should either make sure that if the program fails the reason will become clear to any administrator looking into this issue or you could try to catch exceptions that occur from expired certificates or force from inside your code which certificates are accepted: #6659860 – Mastigophoran 3/7, 2015 at 8:6

If you have openssl command on your environment (install it). you can use it as background cmd background application with date check and read the result – Clova 12/7, 2015 at 0:23

@AliHelmy How will that help? – Ardyce 12/7, 2015 at 4:13

You can bypass all certificates by below code

try {
            TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
                public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                    return null;
                }

                public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {
                }

                public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {
                }
            } };
            SSLContext sc = SSLContext.getInstance("SSL");
            sc.init(null, trustAllCerts, new java.security.SecureRandom());

            HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
            HostnameVerifier allHostsValid = new HostnameVerifier() {
                public boolean verify(String hostname, SSLSession session) {
                    return true;
                }
            };
            SSLContext.setDefault(sc);
            HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
            LOGGER.debug("All Certificates Have Been Trusted Successfully.");
        } catch (KeyManagementException ex) {
            LOGGER.error("Error:",ex);
        } catch (NoSuchAlgorithmException ex) {
            LOGGER.error("Error:",ex);
        }

Clova answered 10/7, 2015 at 16:39 Comment(7)

I know this. However, that's not what I am looking for. – Ardyce 10/7, 2015 at 17:56

Can you clarify more what you want – Clova 10/7, 2015 at 17:59

I want to know if expiry of self signed certificates is always ignored if the self signed cert is present in the trust store – Ardyce 10/7, 2015 at 19:5

This does not 'bypass all certificates'. It merely trusts all certificates. The OP needs to remove the expiration checks which occur before this could would be called. And it is insecure. @Ardyce No, the expiration and validity are always checked. – Nava 12/7, 2015 at 0:3

@EJP - I do not need any code which removes expiration checks. I just need to know if expiry checks are ignored if self signed cert is present in trust store. I checked with a command line program and java trust store and it is ignored. I want to know if it's also ignored with Websphere, Weblogic and other popular app servers – Ardyce 12/7, 2015 at 4:16

Can you read [this article]( javacodegeeks.com/2011/12/…) carefully – Clova 12/7, 2015 at 5:42

@AliHelmy - I have read it - but I am not sure how it solves my problem. I am not looking for code. I am looking for an answer to the following question - if I add a self signed certificate to the trust store, will the certificate still be trusted after it's expired - or will it throw an exception. I am not looking for how to ignore the check. I am looking for an answer(if there is one) as to whether the expiry check will be done in weblogic, websphere and other popular app servers. I am not looking to bypass the check. I know the check is not done for the default java trust store. – Ardyce 12/7, 2015 at 8:45

To answer your question: "If I add a self signed certificate to the trust store, will the certificate still be trusted after it's expired - or will it throw an exception?"

It will still be trusted (at least within java's cacerts trust store). See https://softwareengineering.stackexchange.com/a/308538

Sitdown answered 7/6, 2018 at 23:28 Comment(0)

Recommended topics

Hot tags