I have a java process running on a remote server that exposes a SSL configured JMX port using the com.sun.management.jmxremote JVM arguments. The process uses a keystore that contains a self-signed certificate.
I am running Java Mission Control (JMC) on my local machine to connect to this remote JMX port. I have setup JMC with a truststore that has imported the self-signed certificate from the remote keystore. This is all great and I can connect with secured SSL as expected.
I checked the details of the self-signed certificate recently and was surprised to see that it had expired a month ago as I would have expected to have not been able to connect to the remote process using JMC, but I have been able to connect just fine with no expiration warnings.
I have confirmed that it is indeed using this certificate as when I run JMC without the truststore and try to connect I get a Certificate Path Building Exception. I have also looked at the SSL debug and can see the certificate is used.
Could anyone explain to me why I am still able to establish this connection using an expired certificate? If this process exposed a RESTful service that I connected to in a browser would I expect to not be able to connect or would I just get a warning (or nothing at all like in JMC).
Thanks for your time.
After further investigation I have found that the Trust Manager used by Java Mission Control will accept expired certificates without warning. However, it will prefer a valid certificate over an expired one should both be available. I am not aware whether or not this behavior can be changed.