A typical windows server often already contains TLS certificates in the certificate store which have however expired.
The current NATS configuration only allows for matching a subject or an issuer of the certificate, so nothing unique (like a hash), and it also doesn't care about certificate validity
Proposed Change:
Add an option to skip expired certificate when searching for a match in the certificate store
Who Benefits From The Change(s)?
Administrators configuring NATS server instances
Alternative Approaches
Add another configuration option for searching for a certificate hash.
Makes sense to allow Windows repeated search until no more hits or a time valid cert (whichever first). Thanks for the contribution @dmpriso . I will review the PR.
Feature Request
Previously started here: https://github.com/nats-io/nats-server/issues/2130#issuecomment-1655164371
Use Case:
A typical windows server often already contains TLS certificates in the certificate store which have however expired. The current NATS configuration only allows for matching a subject or an issuer of the certificate, so nothing unique (like a hash), and it also doesn't care about certificate validity
Proposed Change:
Add an option to skip expired certificate when searching for a match in the certificate store
Who Benefits From The Change(s)?
Alternative Approaches
Add another configuration option for searching for a certificate hash.