Topic
  • 6 replies
  • Latest Post - ‏2013-02-13T14:33:57Z by SystemAdmin
SystemAdmin
SystemAdmin
6772 Posts

Pinned topic How to allow expired cert in Validation Credential?

‏2013-02-12T14:12:55Z |
XI52 running Firmware 5.0.0.3.

We have a development cert that is expired, and I need to simply ignore the expiration date in the validation credential on the forward crypto profile.

On the certificate object itself, I have "Ignore Expiration Dates" turned on, and on the Proxy Profile, I have "Permit connections to to Insecure SSL Servers" turned on. In desperation, I've turn on "Permit insecure SSL renegotiation to a legacy SSL client" on the Crypto Profile, and on the Validation Credential, I've turn "Use CRL" "off".

It is still giving an error due to the certificate being expired.

The only nuance to what we're doing is this whole thing is attached to a dynamic back-end WSP with dp:xset-target for the route. It seems to be doing everything correctly all the way up failing when checking the validation credential. This is how the XSLT is calling it:

<dp:xset-target host="$url" port="443" ssl="true()" sslid="MyForwardProxyProfile"/>


Where "$url" is an xsl variable holding the back-end to the service. How do I get it to simply accept the expired cert?
Updated on 2014-03-25T02:39:54Z at 2014-03-25T02:39:54Z by iron-man
  • chauhan_vin1
    chauhan_vin1
    24 Posts

    Re: How to allow expired cert in Validation Credential?

    ‏2013-02-12T20:02:42Z  
    Your are using SSL - where Datapower is the client - Since the internal certificate ( expirations are still used ) - The other end may be rejecting the connection on an handshake considering the certificate is invalid.

    Thanks
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: How to allow expired cert in Validation Credential?

    ‏2013-02-12T20:48:49Z  
    Your are using SSL - where Datapower is the client - Since the internal certificate ( expirations are still used ) - The other end may be rejecting the connection on an handshake considering the certificate is invalid.

    Thanks
    Thanks... didn't think of that. So you're saying the server issuing the certificate is rejecting its own cert?
  • chauhan_vin1
    chauhan_vin1
    24 Posts

    Re: How to allow expired cert in Validation Credential?

    ‏2013-02-12T22:54:22Z  
    Thanks... didn't think of that. So you're saying the server issuing the certificate is rejecting its own cert?
    Yes -

    For Forward crypto profile

    ID Cred If Any ( For Mutual Auth) : would be DataPower self signed certificate/or a CSR which you had it signed with a certificate authoririty and private key
    Val Cred : with Destination client public certificate.

    Ignore Expiration Dates
    Whether to allow the creation of a certificate prior to its activation date (the NotBefore value in the certificate) or after its expiration date (the NotAfter value in the certificate).

    When allowed ("on"), create the certificate and places it in the up state. Although the certificate is in the up state, objects that reference the certificate use the internal expiration values. In other words, the certificate itself is in the up state, but a validation credentials set, firewall credentials set, or identification credentials set that references the certificate adhere to the internal expiration values. If the certificate is used for a certificate chain validation from a validation credentials set and the certificate is not valid, validation fails. Similarly, if the certificate is used from an identification credentials set, the DataPower appliance sends the certificate to the SSL peer for an SSL connection, but the peer can reject the certificate as not valid.
    When disallowed ("off"), the default, prevent the creation of a certificate outside of its internal expiration values.
    Client -> DP -> Destination

    When DP connects to Destination. The destination server forwards its certificate to DP. The internal expiration value on the physical certificate is checked and so DP rejects the handshake.
  • chauhan_vin1
    chauhan_vin1
    24 Posts

    Re: How to allow expired cert in Validation Credential?

    ‏2013-02-12T22:59:36Z  
    Yes -

    For Forward crypto profile

    ID Cred If Any ( For Mutual Auth) : would be DataPower self signed certificate/or a CSR which you had it signed with a certificate authoririty and private key
    Val Cred : with Destination client public certificate.

    Ignore Expiration Dates
    Whether to allow the creation of a certificate prior to its activation date (the NotBefore value in the certificate) or after its expiration date (the NotAfter value in the certificate).

    When allowed ("on"), create the certificate and places it in the up state. Although the certificate is in the up state, objects that reference the certificate use the internal expiration values. In other words, the certificate itself is in the up state, but a validation credentials set, firewall credentials set, or identification credentials set that references the certificate adhere to the internal expiration values. If the certificate is used for a certificate chain validation from a validation credentials set and the certificate is not valid, validation fails. Similarly, if the certificate is used from an identification credentials set, the DataPower appliance sends the certificate to the SSL peer for an SSL connection, but the peer can reject the certificate as not valid.
    When disallowed ("off"), the default, prevent the creation of a certificate outside of its internal expiration values.
    Client -> DP -> Destination

    When DP connects to Destination. The destination server forwards its certificate to DP. The internal expiration value on the physical certificate is checked and so DP rejects the handshake.
    I mean no - the DP is rejecting it..
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: How to allow expired cert in Validation Credential?

    ‏2013-02-13T14:06:51Z  
    I mean no - the DP is rejecting it..
    This is forward proxy only, so all I have is a validation credential... and in spite of trying to ignore expiry dates, it continued to reject the server issued cert.
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: How to allow expired cert in Validation Credential?

    ‏2013-02-13T14:33:57Z  
    This is forward proxy only, so all I have is a validation credential... and in spite of trying to ignore expiry dates, it continued to reject the server issued cert.
    An expired certificate cannot be used

    The config "Ignore Expiration Dates" is part of the Crypto Certificate object, and allows the certificate to transition into the up state even when the cert is not valid yet, or has expired. The valcred will use the internal expiration date.

    From the Certificate doc in the info center:
    "In other words, the certificate itself is in the up state, but Validation Credentials, Firewall Credentials, or Identification Credentials that references the certificate adhere to the internal expiration values. If the certificate is used for a certificate chain validation from a Validation Credentials and the certificate is not valid, validation fails. Similarly, if the certificate is used from an Identification Credentials, the DataPower® appliance sends the certificate to the SSL peer for an SSL connection, but the peer can reject the certificate as not valid."