如果trustStore证书过期怎么办?
[英]What if trustStore certificate expires?
问题描述
What excepttions I will/may recive if certificates stored in java trust store expires? 
如果存储在Java信任库中的证书过期,我将/可能接受哪些例外? Will I certantly recive exception accessing certified resource? 我是否会从认证资源中获取认证的例外? Under what circumstances there will be no exceptions? 在什么情况下不会有例外?
2 个解决方案
解决方案1
3 已采纳 2014-03-11 11:12:25
If a certificate in the trust store expires, and is not replaces with an updated version with the same subject and key, it will be discarded for the purpose of building the certification path, so you'll get an javax.net.ssl.SSLHandshakeException (coming from " PKIX path building failed... "). 如果信任库中的证书过期,并且没有被替换为具有相同主题和密钥的更新版本,那么它将被丢弃以构建证书路径,因此您将获得javax.net.ssl.SSLHandshakeException (来自“ PKIX路径构建失败... ”)。
If you look at the JSSE Reference Guide (trust manager section) , it relies on the CertPath API (which implements what's needed to verify the date/time). 如果您查看《 JSSE参考指南》(“信任管理器”部分) ,则它依赖于CertPath API (该API实现了验证日期/时间所需的内容)。
The default PKIX trust manager implements RFC 3280 , which requires all certificates in the chain to be valid at the current date/time. 默认的PKIX信任管理器实现RFC 3280 ,它要求链中的所有证书在当前日期/时间都有效。 See section 6.1: 请参阅第6.1节:
The algorithm presented in this section validates the certificate with respect to the current date and time.
and 和
(d) for all x in {1, ..., n}, the certificate was valid at the time in question.
If you want to bypass this, you can implement your own trust manager (although it's generally not recommended, since you'd weaken the default algorithm). 如果要绕过此操作,则可以实现自己的信任管理器(尽管通常不建议这样做,因为这会削弱默认算法)。
解决方案2
2 2014-03-07 15:26:56
I would expect an expired certificate to not be used by the system. 我希望系统不会使用过期的证书。 So to your code, it should behave as though not found at all. 因此,对于您的代码,它的行为似乎根本找不到。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.