Would you prefer a certificate black belt to help you?

Subscribers click here.

Security Resources

Issue Tracker - Security

Need more help? Learn about
Oracle Java Support subscriptions

Expired X.509 Certificates


Introduction

X.509 certificates are only valid for a specified period. Once the expiry date is reached, applications may no longer recognize the certificate as valid. This can lead to significant consequences, such as application outages or disruptions in service. Expired certificates can cause authentication failures, security vulnerabilities, and issues with encrypted communications.

To mitigate such risks, it is crucial to regularly review the validity of X.509 certificates. When an expiry date is approaching, take proactive steps to renew or replace the certificate well in advance. Planning for certificate updates ahead of time is essential to maintaining the security and functionality of applications.


How to Check X.509 Certificate Validity

To ensure an X.509 certificate is still valid, you can use one of the following methods.


Keytool

You can use the keytool command to view certificate details and check if it is still valid. The command keytool -list -v -keystore <KEYSTORE_FILE> displays the certificate’s validity period along with other details. For example, if a certificate with alias “ServerA” is located in truststore “production.p12”, then verbose details of that certificate may be viewed with:

keytool -list -keystore production.p12 -alias ServerA -v

A password is required to access the keystore details. If you want to see details of all certificates in this store, simply omit the -alias ServerA argument in the above command.

keytool will highlight the certificate validity period in this format:

Valid from: Thu Jan 14 11:45:24 UTC 2021 until: Fri Jan 14 11:45:24 UTC 2022

See X.509 Certificate Structure and Analysis Methods to learn more about keytool and other methods for gathering information on certificates.


JDK Debugging

With a JDK-based application, enabling JDK debug logs can show certificate details, including their validity. Use the -Djavax.net.debug=ssl flag when starting your application to log SSL/TLS interactions.


OpenSSL

You can also use OpenSSL to check the validity of a certificate. Run the following command to inspect the expiry date:

openssl x509 -in <CERTIFICATE_FILE> -noout -enddate

This will return the expiry date of the certificate.


Request a New Certificate

To renew or request a new certificate, you first need to generate a Certificate Signing Request (CSR). A CSR contains the necessary data that is sent to your Certificate Authority (CA) to issue a new certificate. The keytool command can be used to create the CSR. To view all available options, you can run:

keytool -certreq -help

Using the keytool command, the CSR can be generated with the following command:

keytool -certreq -alias ServerA -file ServerA.csr -keystore production.p12

This creates a CSR file (ServerA.csr), which should be sent to your Certificate Authority (CA). Once the CA has completed their validation process and approved the request, they will issue a new certificate.

After receiving the new certificate from the CA, you can import it into your keystore with the following command:

keytool -import -v -alias ServerA -file cert_from_CA.cer -keystore production.p12

To ensure that the new certificate has been correctly installed, use the following command to list the contents of the keystore:

keytool -list -keystore production.p12

This will confirm the certificates presence and details in the keystore.

See Certificate Signing Requests for more information.


Last reviewed on Sat Feb 01 2025 00:00:00 GMT+0000 (Coordinated Universal Time)