Client CA in truststore expired, but client Certs signed by it still work


One of our clients has sent us a CA that we have added in our HiveMQs trust store, so that client certs signed by this CA are trusted by our HiveMQ server to establish secure connection.

The client recently contacted us and said that despite the CA validity has expired their clients still manage to create connection to our broker. We expected that hiveMQ would also check the validity of both the certificates signed by trusted CAs AND the CA’s validity itself, but it seems that this is not the case. I was wondering if this is a known issue in HiveMQ or is there a setting that should be enabled for this? We use HiveMQ Version 4.12.0 on Linux. Please let us know if you want more detailed information.

Hi @icc

HiveMQ, like other Java-based applications, uses the Java Trust Store to determine which Certificate Authorities (CAs) are trusted. When a client presents a certificate signed by a trusted CA, HiveMQ will verify that the certificate is not expired, has not been revoked, and that the chain of trust is valid all the way up to a trusted root CA.

However, HiveMQ does not perform any additional checks on the validity of the trusted CAs themselves. This means that if a CA’s certificate has expired, but the certificate of the client’s certificate is still within its validity period, the connection will be established successfully.

This behavior is not unique to HiveMQ and is common across most Java-based applications that use the Java Trust Store. If you want to enforce additional checks on the validity of trusted CAs, you will need to implement custom code or use third-party libraries.

One approach could be to periodically check the validity of the CAs in your Trust Store and remove any that have expired. This can be automated using a script or tool.

I hope this information was helpful.
Kind regards,
Dasha from HiveMQ Team