1

I got an application from a 3rd party which uses a certificate in the process of authenticating. I wonder if the certificate will still work after its expiration date if the source code uses it in the following ways:

X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
var cert = store.Certificates.Find(X509FindType.FindByThumbprint, "THUMBPRINT", false);
SecurityTokenServiceConfiguration config = new SecurityTokenServiceConfiguration("NAME", cert[0]);
config.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None;
config.RevocationMode = System.Security.Cryptography.X509Certificates.X509RevocationMode.NoCheck;

From my understanding there is no validation check so this should still work after the certificate is expired, shouldn' t it?

var issuerNameRegistry = new ConfigurationBasedIssuerNameRegistry();
issuerNameRegistry.AddTrustedIssuer("THUMBPRINT", "NAME");
var handler = new SecurityTokenHandlerConfiguration();
handler.SaveBootstrapTokens = true;
handler.CertificateValidator = X509CertificateValidator.None;
handler.AudienceRestriction.AudienceMode = System.IdentityModel.Selectors.AudienceUriMode.Never;
handler.IssuerNameRegistry = issuerNameRegistry;

Again, from my understanding there is no validation check either so this should still work after the certificate is expired, shouldn' t it?

Also the web.configs always contain the certificateValidationMode="None" entries.

<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
     <trustedIssuers>
         <add thumbprint="THUMBPRINT" name="NAME" />
     </trustedIssuers>
 </issuerNameRegistry>
 <serviceCertificate>
     <certificateReference x509FindType="FindByThumbprint" findValue="THUMBPRINT" storeLocation="LocalMachine" storeName="My" />
 </serviceCertificate>
 <certificateValidation certificateValidationMode="None" revocationMode="NoCheck" />

I already installed the whole system on a standalone machine with a local IIS in order to set the date of the machine to a date after the expiration date. The application still works without any problem.

Is it safe to assume that this still works after the certificate expired or is there anything I am not considering that might lead to an IIS server rejecting this and causing the application to stop working?

Thanks in advance, Michael

Michael
  • 11
  • 2
  • I have the same configuration : certificateValidationMode="None" revocationMode="NoCheck". Did it expire? Did it go on working without any problem? – Y.Doktur May 09 '23 at 13:03

0 Answers0