Consider Apache Tomcat 7.0 configured to do client authentification (with connector's parameter clientAuth set to true).
It appears, that Tomcat trusts to expired client certificates by default, which are in its trusted store (allow them successfully do authentification).
Is it possible to configure Apache Tomcat 7.0 do not trust and automatically reject such expired client certificates, even if they are in its trusted store?
It seems, this could be achieved by setting another trustManagerClassName, which is X509TrustManagerImpl by default. But I have no idea, does default algorithm really allows expired certificates? Which one from existing should be used here? Or I have to implement my own and put it tomcat's libs?
UPD: I found very similar question: Java trustmanager behavior on expired certificates
but in answers there is no any appropriate solution in answers. I'm looking for existing more secure implemenenation of X509TrustManager which will check for certificate expiration.
I think your best bet is to write your own X509TrustManager and use your own implementation of checkClientTrusted. Unfortunately, you may have to write a great deal of plumbing code unless you can find another class to extend to do the heavy-lifting of managing the trust store, the revocation, etc.
It might be worth your time using a debugger to trace-through the JRE's classes to see what's happening down in the default X509TrustManager -- perhaps it's configured incorrectly, or it's possible that Tomcat isn't enabling some features that would make sense to most people.
Just looking at decompiled sources from Java 8, it looks like it comes down to sun.security.validator.SimpleValidator which does seem to consider the (current) date when checking for validity of the certificate. I would expect a CertificateExpiredException to be thrown at some point by the JRE itself. I don't think Tomcat manages any of this.
Another question on SO has idle speculation about what happens but nothing really definitive.