Just want to know why does different versions of python module certifi has same validity date for its cacert.pem . I have checked with certifi version 2018.4.16 and 2024.2.2
certifi 2018.4.16
[root@8a63ff0c0dba /]# python3.3 -m pip show certifi
Name: certifi
Version: 2018.4.16
Summary: Python package for providing Mozillas CA Bundle.
Home-page: http://certifi.io/
Author: Kenneth Reitz
Author-email: me@kennethreitz.com
License: MPL-2.0
Location: /usr/local/lib/python3.3/site-packages
Requires:
Required-by: requests
[root@8a63ff0c0dba /]# openssl x509 -enddate -noout -in /usr/local/lib/python3.3/site-packages/certifi/cacert.pem
notAfter=Jan 28 12:00:00 2028 GMT
certifi 2024.2.2
[root@1e6dfr05dhd /]# python3.11 -m pip show certifi
Name: certifi
Version: 2024.2.2
Summary: Python package for providing Mozillas CA Bundle.
Home-page: https://github.com/certifi/python-certifi
Author: Kenneth Reitz
Author-email: me@kennethreitz.com
License: MPL-2.0
Location: /usr/local/lib/python3.11/site-packages
Requires:
Required-by: requests
[root@1e6dfr05dhd /]# openssl x509 -enddate -noout -in /usr/local/lib/python3.11/site-packages/certifi/cacert.pem
notAfter=Jan 28 12:00:00 2028 GMT
does the validity of cacert.pem get updated automatically after Jan 28, 2028.
The cacert.pem does not have a validity date.
Instead this file is a collection of over 100 CA certificates, each having their own expiration dates. The command you use to check the "validity date of cacert.pem" only outputs the expiration of the first certificate in this file, which probably is the "GlobalSign Root CA".
This output will stay the same as long as this exact certificate is put as first in cacert.pem, no matter if other certificates have changed. And the output will change if the certificates are simply reordered, even if no certificate got updated, added or removed.
So it makes no sense to use this command to check the cacert.pem.