Flag expired certificates associated with a KeyName.

internet2 · Jan 13, 2014 · 18cd6e3 · 18cd6e3
1 parent 49f00c3
commit 18cd6e3
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/build/check_embedded.pl b/build/check_embedded.pl
@@ -425,6 +425,16 @@ sub comment {
 			} elsif ($error eq 'unable to get local issuer certificate') {
 				$error = "non trust fabric issuer: $issuerCN: remove KeyName?";
 			}
+
+			#
+			# KeyName with an expired certificate indicates some kind of misconfiguration.
+			# Either the KeyDescriptor isn't working, or the expired certificate is still
+			# in use (in which case the KeyName is superfluous) or a different certificate
+			# is in use via PKIX (which means we have the wrong one).
+			#
+			if ($days < 0) {
+				error("expired certificate has KeyName; acquire/ensure correct certificate and remove KeyName");
+			}
 		}
 
 		if ($error eq 'certificate has expired' && $days < 0) {