Wednesday, March 29, 2006


Certificate Expiration Dates

have you ever had a certificate expire and COREid components stop functioning on you. Once you figured out that it was a certificate you were like, "oh-oh, there might be a few more expiring in the next few minutes, hours, days, etc." This is one of those things that us mere mortals re-learn how to do once a year and then promptly re-forget immediately afterwards.

The openssl tool installed alongside each COREid component can be used to determine the valid dates for a certificate. The following example examines a self signed COREid certificate ("simple mode") . The same example holds true for all COREid components: Identity Server, Access Server, WebPass, WebGate and Access Manager (frequently installed alongside WebGate).

C:\>cd \Program Files\COREid\WebComponent\access\oblix\tools\openssl
C:\>openssl x509 -in ..\..\config\simple\aaa_cert.pem -noout -dates
notBefore=Mar 28 22:23:15 2005 GMT
notAfter=Mar 28 22:23:15 2006 GMT

I have found that the best way to fix this is to adjust the certificate expiration time during the product install. When installing, after the wizard has copied the files to the hard drive but before you have selected your transport security option, go to the file system and modify the \{install dir}\oblix\tools\openssl\openssl.cnf and openssl_silent.cnf and modify the default_days value to a value greater than 365. I use 3650. Save the files and continue the install. When the certs are generated for the first time, they will be 10 year certs. Obviously this does not fix those that you have already installed, but it does fix every new install that you do. Try it out!
thanks aaron, here is a
to another blog entry describing just that.
Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?