Cert verification for non-CA certs

builtin/credential/cert/path_login.go

@@ -175,6 +175,15 @@ func (b *backend) verifyCredentials(req *logical.Request, d *framework.FieldData
 			if tCert.SerialNumber.Cmp(clientCert.SerialNumber) == 0 &&
 				bytes.Equal(tCert.AuthorityKeyId, clientCert.AuthorityKeyId) &&
 				b.matchesConstraints(clientCert, trustedNonCA.Certificates, trustedNonCA) {
+
+				// We are not looking for trusted chains here since this is a
+				// non-CA cert. But validating the connection state detects
+				// expired certificates.
+				_, err := validateConnState(roots, connState)
+				if err != nil {
+					return nil, nil, err
+				}
+
 				return trustedNonCA, nil, nil
 			}
 		}