0

As part of http request validation, client has to present JWT token in the http authorization header to the server while making web api REST call.

Server has to validate the token presented by client using the public (rsa security) certificate. In case if the CA issued rsa certificate available on the server has been expired what should be return to the client, http status code or custom validation exception?

If CA certificate expired means, expiry applicable for both its private & public key? I mean, can I use expired certificate's public key to do signature validation of token signed by its private key before its expiry?

191180rk
  • 735
  • 2
  • 12
  • 37

1 Answers1

0

https failure usually doesn't lead to any status being reported. You get an http status only if your computer communicated to the server in a meaningful way. For example on MacOS / iOS, an http request or https request will result either in an error (meaningful communication with the server failed) or a reply including status code, and a failed https negotiation returns an error which you can examine to find out what is wrong.

If you supply a token that will become invalid over time, and your computer managed to send that token to the server, and the server examined and rejected it, you will most likely get a response with status 401, and the reply should tell you why you were not allowed to get a reply from the server, and then you should know how to fix this.

gnasher729
  • 51,477
  • 5
  • 75
  • 98
  • the scenario I have highlighted is not related to https or about expired JWT, but it is about client supplies valid JWT to server but the public certificate in server used to validate the JWT has been recently expired then what should server return to the client, may be 500 or some custom exception? not sure – 191180rk Sep 19 '20 at 14:32