WebSphere Application Server & Liberty

Expand all | Collapse all

"Automatically replace expiring self-signed and chained certificates"

  • 1.  "Automatically replace expiring self-signed and chained certificates"

    Posted Mon October 18, 2021 09:42 AM
    I'm dealing with Google ReCaptcha's SSL certificates and their apparently rather short-term lifetimes (apparently about 6 months).

    I've created a custom TrustStore, whose purpose is mainly to enable trust of Google's various certs used by their ReCaptcha service.  I have that installed in WebSphere, and it works fine.

    I've written a scheduled job (in Java) that examines the custom TrustStore file, checks each contained cert for imminent expiration, upon finding any soon to expire downloads roots.pem from the relevant Google site, creates a new empty TrustStore, and populates it with the certs from roots.pem.  Then, it sends email as a reminder of the need to manually replace the existing TrustStore with the newly generated one.

    The difficulty arises while trying to coordinate the use of that scheduled job with WebSphere's configuration regarding when soon to expire certs "might be replaced" (apparently anytime within 60 days of expiration).

    The latest test of the scheduled job seems to show that two of the four certs soon to expire have been replaced with ones with the same expiration-date as their predecessor.  I suppose Google hasn't issued new ones for those two yet.

    To more easily manage these expirations, I'm considering choosing the option to disable "Automatically replace expiring self-signed and chained certificates".  However, I'm not sure of the implications of that, what that feature actually does.

    In particular regarding these Google ReCaptcha certs, would there be any down-side to disabling that feature?

    Larry LeFever

  • 2.  RE: "Automatically replace expiring self-signed and chained certificates"

    Posted Tue October 19, 2021 05:32 AM
    Hello Larry,
    is the custom trust-store you created managed via WebSphere? Any specific reason for not using the default WAS trust store?

    Please can you elaborate a bit on how your (custom) job is related to the certificate expiration monitor?

    Thanks - Hermann

    Hermann Huebler
    2innovate IT Consulting GmbH