Skip to content

CWE-298: Improper Validation of Certificate Expiration

Overview

Improper validation of expired certificates occurs when applications accept SSL/TLS certificates outside their validity period. X.509 certificates include "Not Before" and "Not After" dates defining the window in which the certificate is valid. Accepting expired certificates creates security risks because the certificate is no longer an active assertion by the issuer, the associated private key may have been compromised or abandoned, and revocation information for expired certificates may no longer be maintained. This vulnerability commonly results from disabled certificate validation, custom TLS callbacks that ignore validity dates, or misconfigured TLS libraries.

OWASP Classification

A07:2025 - Authentication Failures

Risk

Medium to High: Expired certificates may indicate compromised infrastructure, abandoned services, or lack of security maintenance. If an application ignores expiration and an attacker has the corresponding private key, the attacker may be able to impersonate the service despite the certificate no longer being valid.

Remediation Steps

Core principle: Always validate certificate expiration dates; reject connections to services presenting expired certificates and implement automated certificate renewal before expiration.

Enable Expiration Validation

Ensure TLS libraries check certificate validity period:

# VULNERABLE - custom validation that ignores expiration
import ssl
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
context.check_hostname = False  # Dangerous!
context.verify_mode = ssl.CERT_NONE  # Disables all validation!

# SECURE - use default context with full validation
context = ssl.create_default_context()
# Validates: chain of trust, expiration, and hostname

// VULNERABLE - disables certificate authorization, including expiration checks
const https = require('https');
https.get('https://api.example.com', {
  rejectUnauthorized: false
});

// SECURE  
https.get('https://api.example.com');  // Default behavior validates certificates

Implement Certificate Monitoring

Set up alerts before certificates expire:

  • Monitor certificate expiration dates (alert 30/14/7 days before expiry)
  • Automated certificate renewal (Let's Encrypt, AWS Certificate Manager)
  • Certificate inventory management
  • Continuous monitoring of all endpoints

Use Automated Certificate Management

Implement certificate lifecycle automation:

  • ACME protocol: Let's Encrypt, ZeroSSL for automated issuance/renewal
  • Cloud providers: AWS ACM, Azure Key Vault, GCP Certificate Manager
  • cert-manager: Kubernetes certificate automation
  • Certbot: Automated renewal for web servers

Test Expiration Validation

Verify your code rejects expired certificates:

# Test with expired certificate (should fail)
curl https://expired.badssl.com/

# Check certificate expiration
openssl s_client -connect example.com:443 | openssl x509 -noout -dates

Additional Resources