Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
Description
The current TrustStore API requires some tidy up/improvements to allow an operator to better manage certificate expiry.
- Currently the details of certificates contained within the store are not exposed in a uniform manner. {#getCertificateDetails}} should be pulled up and implemented by all truststore types. I suggest we standardise on the form currently used by ManagedPeerCertificateTrustStore#getCertificateDetails (i.e. the List<CertificateDetails>). For the SiteSpecificTrustStore it should return a singleton list.
- KeyStores currently warn the user certificate are about to expire via operational log messages. TrustStores should implement the same feature.
- For SSL client authentication, we should have a 'strict mode' where the validFrom/validTo date of the peer certificate is validated before the connection is accepted. This will help users utilising self signed certificate for client authentication purpose effectively managed certificate expiration.