Expired Certificate in Chain is still Working

book

Article ID: 128511

calendar_today

Updated On:

Products

CA Top Secret CA Top Secret - LDAP

Issue/Introduction

A certificate chain on a keyring has an expired certificate but it is still working.  Top Secret is not stopping the certificate from being used. 

Environment

Release:
Component: TSSMVS

Resolution

The fact that the certificate is expired and still being used actually has nothing to do with Top Secret.  We do not allow or disallow certificates.  We send a corresponding message at times such as if there is an valid acid; but, mostly the messages for certificates come from UNIX/OMVS.  If the application that you are connecting to allows the certificate to be used then most likely the certificate on the other side is the same and the application is verifying the chain and allowing access.  Most likely this is SSL. Top Secret stores certificates and can report on the certificates you have but it is not involved in the actual verifying of the certificates when they are used.   The TSSOERPT will show certificate return codes and activity.   You will have to ask the vendor or the other client that is connecting why this certificate is still being used.  Top Secret is not involved in this.