A simple question here.
One application gave me this exception when trying to access a website with a expired certificate: java.security.cert.CertificateExpiredException
So, I renewed the certificated from the website machine and restarted it. When I try to access it from Firefox or Chrome it will load the new certificate (which it's expiration date is set somewhere near 2040).
The problem is, Java applications doesn't seems to renew this certificate, it seems to be stuck in some kind of internal cache. I already tried to add it to the keystore and set options in the application properties like -Dcom.sun.net.ssl.checkRevocation=false. No matter what I do, it always throw me a java.security.cert.CertificateExpiredException
Any ideas?
Best Answer
The default Java keystore location is a .keystore file under your home directory (user.home system property) so unless you specify otherwise that is where a Java application will look.
Try running:
to see if the expired certificate is in there.
If you want to specify a different identity keystore to use then you can do so using the following system properties:
I believe that Firefox uses NSS and you can view its keystore using the certutil utility (from the nss-tools or similar package) - something like:
You should be able to use the pk12util utility to extract the key and certificate into a PKCS12 file but you're probably better off just generating a new certificate signing request using the keytool utility.
Note that a revoked certificate is not the same as an expired one which is why your checkRevocation=false doesn't work. The CA can revoke a certificate at any time even if it has not yet expired and this indicates that it should no longer be trusted.