I have a Spring Boot application who connects to several remote resources like: AWS DocumentDB, Salesforce, Outlook.com etc.
To interact with these remote services through TLS I had to install their certificates in a custom trust store (JKS) loaded by the Java application at startup.
My question is: what happen when one (or more) of these certificates expire? The application stops to connect with the specific service or continues to run logging a warning?
The JKS file is loaded into the application with:
-Djavax.net.ssl.trustStore=path_to_truststore.jks
in a Docker container deployed into a AWS ECS cluster.
I read some online articles and posts on Stackoverflow but I'm still confused.
Here: https://softwareengineering.stackexchange.com/a/308538 seems that the application still works even if the certificate is expired.
Keep in mind, this certificate may not even be technically valid or it can EVEN be self signed and not validated by a Root CA, but if it exists on the specified Truststore that has been loaded into the Java application then it will still trust it.
What you didn't describe is if this certificate is for a network resource that you are providing as a server or a network resource that you require as a client. If the latter then you might get a warning about the certificate being expired, but it will still work because it is in your trust store.
But here: https://stackoverflow.com/a/22324010/17982071
I read a different thing.
If a certificate in the trust store expires, and is not replaces with an updated version with the same subject and key, it will be discarded for the purpose of building the certification path, so you'll get an javax.net.ssl.SSLHandshakeException (coming from "PKIX path building failed...").
Thanks.