Client certificate expiration validation with HTTP.sys SSL binding

Question

I've setup a custom SSL binding via netsh http add sslcert. This binding has the clientcertnegotiation parameter enabled, which causes the HTTP.sys subsystem to issue a client certificate request during the SSL handshake phase.

All good till here, the client certificate is requested and it is also sent by the client. The issue is that this particular certificate has passed its expiration date.

Common sense dictates that the expiration validation should be done at this level. Is there any particular option/setting that can make this happen?

Otherwise, it should probably be handled in the WCF application that's behind this binding - which is a whole different question.

score 1 · Answer 1 · answered Jun 01 '16 at 18:38

1

I don't know of a parameter you can use, but I had a similar problem where the server I was using didn't verify the validity of the certificate. Instead I implemented it in the infrastructure of my application: Loop over the certificate chain received from the client and verify all the certificates are valid: check both notBefore & notAfter parameters.

answered Jun 01 '16 at 18:38

Ravivm

46
2

Yes, I know I can do this but I'm trying to avoid it. I was thinking that if they have this whole system in place then a validity check would be one of the basic features. – Marcel N. Jun 02 '16 at 06:09

score 0 · Accepted Answer · answered Oct 08 '16 at 18:02

0

Ended up doing the validation in my code by using a custom X509 certificate validator.

Just get the certificate and check the dates.

answered Oct 08 '16 at 18:02

Marcel N.

13,726
5
47
72

Client certificate expiration validation with HTTP.sys SSL binding

2 Answers2