search

nats-io / nats-server

High-Performance server for NATS.io, the cloud and edge native messaging system.
https://nats.io
Apache License 2.0
15.76k stars 1.4k forks source link

Handling of expired certificates in Windows Certificate Store #4383

Open dmpriso opened 1 year ago

dmpriso commented 1 year ago

Feature Request

Previously started here: https://github.com/nats-io/nats-server/issues/2130#issuecomment-1655164371

Use Case:

A typical windows server often already contains TLS certificates in the certificate store which have however expired. The current NATS configuration only allows for matching a subject or an issuer of the certificate, so nothing unique (like a hash), and it also doesn't care about certificate validity

Proposed Change:

Add an option to skip expired certificate when searching for a match in the certificate store

Who Benefits From The Change(s)?

Alternative Approaches

Add another configuration option for searching for a certificate hash.

tbeets commented 1 year ago

Makes sense to allow Windows repeated search until no more hits or a time valid cert (whichever first). Thanks for the contribution @dmpriso . I will review the PR.