CWE-298: Improper Certificate Validation (Expired)

Overview

Improper validation of expired certificates occurs when applications accept SSL/TLS certificates that have passed their validity period. X.509 certificates include "Not Before" and "Not After" dates defining their validity window. Accepting expired certificates creates security risks because certificate revocation becomes meaningless after expiration, private keys may have been compromised with no mechanism for notification, and certificate owners have no obligation to maintain security of expired credentials. This vulnerability commonly results from disabled expiration checking during development or misconfigured TLS libraries.

OWASP Classification

A07:2025 - Authentication Failures

Risk

Medium to High: Expired certificates may indicate compromised infrastructure, abandoned services, or lack of security maintenance. Attackers who compromised the private key of an expired certificate can conduct man-in-the-middle attacks without detection since revocation lists often exclude expired certificates.

Remediation Steps

Core principle: Always validate certificate expiration dates; reject connections to services presenting expired certificates and implement automated certificate renewal before expiration.

Enable Expiration Validation

Ensure TLS libraries check certificate validity period:

# VULNERABLE - custom validation that ignores expiration
import ssl
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
context.check_hostname = False  # Dangerous!
context.verify_mode = ssl.CERT_NONE  # Disables all validation!

# SECURE - use default context with full validation
context = ssl.create_default_context()
# Validates: chain of trust, expiration, hostname, revocation

// VULNERABLE
const tls = require('tls');
tls.connect({ checkServerIdentity: () => undefined });  // Skips validation!

// SECURE  
tls.connect({ rejectUnauthorized: true });  // Default behavior

Implement Certificate Monitoring

Set up alerts before certificates expire:

• Monitor certificate expiration dates (alert 30/14/7 days before expiry)
• Automated certificate renewal (Let's Encrypt, AWS Certificate Manager)
• Certificate inventory management
• Continuous monitoring of all endpoints

Use Automated Certificate Management

Implement certificate lifecycle automation:

• ACME protocol: Let's Encrypt, ZeroSSL for automated issuance/renewal
• Cloud providers: AWS ACM, Azure Key Vault, GCP Certificate Manager
• cert-manager: Kubernetes certificate automation
• Certbot: Automated renewal for web servers

Test Expiration Validation

Verify your code rejects expired certificates:

# Test with expired certificate (should fail)
curl https://expired.badssl.com/

# Check certificate expiration
openssl s_client -connect example.com:443 | openssl x509 -noout -dates

Dynamic Scan Guidance

For guidance on remediating this CWE when detected by dynamic (DAST) scanners:

• Dynamic Scan Guidance - Analyzing DAST findings and mapping to source code

Additional Resources

• CWE-298: Improper Validation of Certificate Expiration
• OWASP Top 10 2025 A07: Authentication Failures
• Let's Encrypt