cert considered invalid when intermediate is expired

Michal Suchanek hramrach at gmail.com
Sun Oct 28 12:16:15 CET 2012

On 28 October 2012 02:31, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
> On 10/26/2012 03:15 PM, Michal Suchanek wrote:
>> Hello,
>> gnutls does not verify a certificate when the intermediate CA
>> certificate is expired.
> If the intermediate certificate is expired why would you consider it
> valid? You may ignore expiration failures if your application doesn't
> care, but gnutls cannot ignore them.

Does that imply that a CA that signs a cert that is supposed to be
valid for 2yrs using an intermediate cert that is valid for 20 months
essentially makes a cert for 20 months only because for the remaining
4 months the cert will be invalid?

The application will, of course, use whatever gnutls supplies for cert
validation so when the cert does not validate in gnutls it will not
validate in any app using the library unless the authors went out of
their way to examine the certificate chain manually.



More information about the Gnutls-help mailing list