Security With Https And Ssl :-javax.net.ssl.sslhandshakeexception: Certificate Expired

I have tried command for check Missing intermediate certificate authority using this command $ openssl s_client -connect mail.google.com:443 For my website which should be shown

Solution 1:

You have already got your issue. Actually your certificate is expired. Your webservice's appserver needs to update its certificate.

For a full tutorial to create and check certificate you can follow the tutorial:

1. The Most Common OpenSSL Commands
2. How To Verify SSL Certificate From A Shell Prompt

To change certificate, you can follow the tutorial:

http://www.albeesonline.com/blog/2009/06/24/javax-net-ssl-sslhandshakeexception-certificate-expired/

---

Full Tutorial:

For testing purpose I will use mail.google.com:443 SSL certificate which is issued by Go Daddy.

Step # 1: Getting The Certificate

Create directory to store certificate:

$ mkdir -p ~/.cert/mail.google.com/$ cd ~/.cert/mail.google.com/

Retrieve the mail.google.com certificate provided by the google mail server:

$ openssl s_client -showcerts -connect mail.google.com:443

Copy from the “—–BEGIN CERTIFICATE—–” to the “—–END CERTIFICATE—–” , and save it in your ~/.cert/mail.google.com/ directory as mail.google.com.pem.

Step # 2: Getting The Certificate Of The Issuer

If this certificate was issued by Go Daddy, so you need to get “Certification Authority Root Certificate” (visit your CA’s website to get root certificate):

$ wget https://certs.godaddy.com/repository/gd_bundle.crt -O ~/.cert/mail.google.com/gd.pem

Step # 3: Rehashing The Certificates

Create symbolic links to files named by the hash values using c_rehash, enter:

$ c_rehash ~/.cert/mail.google.com/

Sample output:

Doing  ~/.cert/mail.google.com/
mail.google.com.pem => 1d97af50.0
gd.pem => 219d9499.0

Test It

To confirm you have the correct and working certificates, enter:

$ openssl s_client -CApath ~/.cert/mail.google.com/ -connect mail.google.com:443

Sample output:

CONNECTED(00000003)..........Verify return code:0(ok)---

There should be lots of data, however the important thing to note down is that the final line “Verify return code: 0 (ok)”. I’m using the same certificate for dovecot IMAP mail server, type the following to verify mail server SSL certificate:

$ openssl s_client -CApath ~/.cert/mail.google.com/ -connect mail.google.com:993

Sample output:

CONNECTED(00000003)..........Verify return code:0(ok)---*OK [CAPABILITYIMAP4rev1SASL-IRSORTTHREAD=REFERENCESMULTIAPPENDUNSELECTLITERAL+IDLECHILDRENNAMESPACELOGIN-REFERRALSUIDPLUSLIST-EXTENDEDI18NLEVEL=1QUOTAAUTH=PLAINAUTH=LOGIN] Dovecotready.

Again the final “Dovecot ready” line along with 0 return code indicates that everything is working fine.

Resource Link:

Verifying that a Private Key Matches a Certificate