I'm dealing with Google ReCaptcha's SSL certificates and their apparently rather short-term lifetimes (apparently about 6 months).
I've created a custom TrustStore, whose purpose is mainly to enable trust of Google's various certs used by their ReCaptcha service. I have that installed in WebSphere, and it works fine.
I've written a scheduled job (in Java) that examines the custom TrustStore file, checks each contained cert for imminent expiration, upon finding any soon to expire downloads roots.pem from the relevant Google site, creates a new empty TrustStore, and populates it with the certs from roots.pem. Then, it sends email as a reminder of the need to manually replace the existing TrustStore with the newly generated one.
The difficulty arises while trying to coordinate the use of that scheduled job with WebSphere's configuration regarding when soon to expire certs "might be replaced" (apparently anytime within 60 days of expiration).
The latest test of the scheduled job seems to show that two of the four certs soon to expire have been replaced with ones with the same expiration-date as their predecessor. I suppose Google hasn't issued new ones for those two yet.
To more easily manage these expirations, I'm considering choosing the option to disable "Automatically replace expiring self-signed and chained certificates". However, I'm not sure of the implications of that, what that feature actually does.
In particular regarding these Google ReCaptcha certs, would there be any down-side to disabling that feature?
------------------------------
Larry LeFever
------------------------------