We have Load Balancer LDAP server's and behind LB there are 4 Domain controllers.

1.We have imported AD provided SSL certificate in Websphere Application server , But we are getting SSL certificate expiration error.

2.For analysis purpose, We have asked AD team for Domain Controller IP addresses which are behind LB and tried with Retrieve from port from SSL Signer certificate from Websphere. so we have found that one of the Domain controller server getting below certificate expiration error.

Errorcom.ibm.jsse2.util.h: PKIX path validation failed: java.security.cert.CertPathValidatorException: The certificate expired at Tue Jul 09 11:48:15 IST 2019; internal cause is:

java.security.cert.CertificateExpiredException: NotAfter: Tue Jul 09 11:48:15 IST 2019

Then We referred blow Forum but com.ibm.jsse2.checkRevocation and change the value already set false in Websphere application server

https://www.ibm.com/mysupport/s/question/0D50z00005phxIrCAI/itmv6-pkix-path-validation-failed-javasecuritycertcertpathvalidatorexception

Then we have informed AD team for that respective server certificate expiration issue . But they are saying Certificate is expiring 2022 and there is no issue SSL/Ldap for that server.

Please help us to find root cause.

Hello,

The exception you posted is not similar to the one in the article you referenced.

The exception you are experiencing is about the certificate expatriation date having passed, meaning today... and any day after Jul 9 2019 that certificate can not be used, period, and there is no further investigation of the validity of the certificate, like has it been revoked etc.

But the real question is where did you find that exception and what certificate is it complaining about.

For this discussion I will assume that the Load Balancer is configured to not terminate SSL connections (is in passthru mode for SSL).

If there is anyone else in your company using that same load balanced group of LDAP servers with SSL and if they ever get routed to that same LDAP (Domain controller) then they would see the same issue. For this discussion I will assume there are others and that the Domain Controller (Active Directory) support team is correct that their hosts do not have an expired certificate, but if you wanted to be sure you could use a tool from DigiCert...

Download and install DigiCert certificate utility for Windows https://www.digicert.com/util/)

when you open it click on the Tools icon / tab on the left hand side...

Then press the button called "Check Install"

then put the host name/IP (of the domain controllers) in the Server Address box

enter the port in the Port Number box

leave the SSL/TLS Mode in Auto determine by port number

press Query Server

Review the results, if it shows the same expired certificate, share the results with the AD team.

But there is one thought that I have about your WebSphere environment, when a connection is made from WebSphere Application Server to another host using SSL, WebSphere is known as the SSL client and the target host (in this case the AD server) is known as the SSL Server. The SSL server could be configured to request client authentication, and if that is the case the SSL Client is requested to send its certificate to the SSL server... and it is possible that the SSL certificate that is chosen to be sent back to the SSL server is expired. So check the log and the message carefully and look at the details... an easy eye catcher is to look at the CN, to see if that has a hint about where the certificate might actually be (on the AD server or on the WebSphere Application Server).

Bill Holtzhauser