how to check SSL certificate expiration date programmatically in Java
How to parse the expiration date from the certificate
Cast it to an X509Certificate
and call getNotAfter()
.
How to determine the certificate chain, eg, the github certificate with chains
You've got it. That's what the Certificate[]
array is, as it says in the Javadoc.
How did i know which certificate to get the expiration date from?
Read the Javadoc. "The peer's own certificate first followed by any certificate authorities".
However I don't know why you're doing any of this. Java should already do it all for you.
And please throw away that insecure and incorrect TrustManager implementation. The correct way to handle self-signed certificates is to import them into the client truststore. Please also throw away your insecure HostnameVerifier, and use the default one, or a secure one. Why use HTTPS at all if you don't want it to be secure?
Comments
-
Simon Wang over 3 years
I need to extract expiration date from SSL certificate on web site in Java,should support both trusted and self-signed certificate,such as: 1.trusted https://github.com 2.self-signed https://mms.nw.ru/
I already copy some code as:
import java.net.URL; import java.security.SecureRandom; import java.security.cert.Certificate; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import javax.net.ssl.HostnameVerifier; import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.KeyManager; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSession; import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager; public class SSLTest { public static void main(String [] args) throws Exception { // configure the SSLContext with a TrustManager SSLContext ctx = SSLContext.getInstance("TLS"); ctx.init(new KeyManager[0], new TrustManager[] {new DefaultTrustManager()}, new SecureRandom()); SSLContext.setDefault(ctx); URL url = new URL("https://github.com");//https://mms.nw.ru HttpsURLConnection conn = (HttpsURLConnection) url.openConnection(); conn.setHostnameVerifier(new HostnameVerifier() { @Override public boolean verify(String arg0, SSLSession arg1) { return true; } }); System.out.println(conn.getResponseCode()); Certificate[] certs = conn.getServerCertificates(); for (Certificate cert :certs){ System.out.println(cert.getType()); System.out.println(cert); } conn.disconnect(); } private static class DefaultTrustManager implements X509TrustManager { @Override public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {} @Override public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {} @Override public X509Certificate[] getAcceptedIssuers() { return null; } } }
The questions are:
How to parse the expiration date from the certificate, in my code the toString() did output the date,but it is hard to parse.
How to determine the certificate chain, eg, the github certificate with chains 3, how did i know which certificate to get the expiration date from?
-
Simon Wang over 11 yearsmy application is an monitoring tool which has a function to monitor the SSL expiration date so that customer could be notified when it will expire soon. So i do not care whether the HTTPS is sucure, i just care when it will expire. what do you mean by "Java should already do it all for you."?
-
user207421 over 11 years@Grace I meant that if the certificate(s) have expired it will throw an
SSLHandshakeException
. It's hard to believe that a simple calendar entry wouldn't accomplish the purpose without writing any Java code at all. -
Simon Wang over 11 yearsthanks for your quick response. It's OK for me to cast from Certificate to X509Certificate. Anyway our programs aim to automatically monitor the expiration date of one certificate and will notify admin if it will expire soon.Our application is a monitoring system just like nagios etc.That's it. You did help very much:)
-
user207421 over 11 years@Grace I see, have fun with it.
-
user207421 almost 6 yearsThere is nothing in the question to suggest that Java didn't understand the certificate format.
-
Sorin Penteleiciuc about 3 yearsThis actually helped me alot