6

A simple question here.

One application gave me this exception when trying to access a website with a expired certificate: java.security.cert.CertificateExpiredException

So, I renewed the certificated from the website machine and restarted it. When I try to access it from Firefox or Chrome it will load the new certificate (which it's expiration date is set somewhere near 2040).

The problem is, Java applications doesn't seems to renew this certificate, it seems to be stuck in some kind of internal cache. I already tried to add it to the keystore and set options in the application properties like -Dcom.sun.net.ssl.checkRevocation=false. No matter what I do, it always throw me a java.security.cert.CertificateExpiredException

Any ideas?

Alberto Fernández
  • 171
  • 1
  • 1
  • 5
  • Hello, did it work? –  Dec 26 '12 at 10:28
  • 1
    @user3338098 - Is this an application running on Tomcat or some type of appserver? The app may have its own .jks file. I'd try using lsof -p and see if you can't find where it's picking up the certificate. It's going to be in 1 of 3 places, the OS, the JVMs, or the locally to the app. It has to be in one of these places. – slm Jun 14 '18 at 23:59
  • 3
    @user3338098 - when you connect to the app using something like `openssl s_client -connect :` does it present the same 'stale' cert that you're seeing when you use the browser? – slm Jun 21 '18 at 00:11
  • 1
    @slm sorry for not responding, my bounty on this question caused me to run out of the reputation required to comment. Your comment sent me in the right direction towards the solution. – user3338098 Jul 27 '18 at 18:32
  • @user3338098 - no worries, glad you got it figured out. – slm Jul 27 '18 at 20:11

2 Answers2

1

The default Java keystore location is a .keystore file under your home directory (user.home system property) so unless you specify otherwise that is where a Java application will look.

Try running:

$ keytool -list -keystore ~/.keystore -storepass changeit -v

to see if the expired certificate is in there.

If you want to specify a different identity keystore to use then you can do so using the following system properties:

javax.net.ssl.Keystore=/path/to/identity.jks
javax.net.ssl.keyStorePassword=mykeystorepassword

I believe that Firefox uses NSS and you can view its keystore using the certutil utility (from the nss-tools or similar package) - something like:

$ certutil -L -d sql:$HOME/.pki/nssdb

You should be able to use the pk12util utility to extract the key and certificate into a PKCS12 file but you're probably better off just generating a new certificate signing request using the keytool utility.

Note that a revoked certificate is not the same as an expired one which is why your checkRevocation=false doesn't work. The CA can revoke a certificate at any time even if it has not yet expired and this indicates that it should no longer be trusted.

Keith Burdis
  • 334
  • 1
  • 4
  • might not help but there is also a cacerts file that is used, the path is like `/usr/lib/jvm/java-version/jre/lib/security/cacerts` on unix based systems – user3338098 Jun 08 '18 at 19:45
0

I came across this question while looking for a way to force Java to recognize newly imported certificates.

For me, the reason the certs weren't updating (on Windows) was because there was already a Java instance running (presumably with the old cert cache).

I simply killed the old Java process, and the next time it auto-booted (due to running Gradle procs) the certs were updated.

Coruscate5
  • 53
  • 9