Re: Root CA Certificate vs Client Cert Expiration

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/29/05 

Date: Thu, 28 Apr 2005 18:44:55 -0500

When a certificate is renewed you have a couple of options. You can renew it
with the same private key or with a new private key. Renewing with a new
private key is the more secure option. If you renew with the same private
key then "maybe" the same certificate/private key can be used but I am not
100 percent sure about that. If you want to pursue that option of renewing
the same private key you may want to post in an Exchange newsgroup or two to
see what they have to say about doing such.

Assuming you renew the certificate with a new private key it will not be
able to be used to decrypt old emails that were encrypted with the now
expired certificate/private key. The old private key however still can. In
all cases you should keep the old certificate/private keys and have backups
of such [ done by the certificate owners] which you can do my exporting them
[including private key] to a password protected .pfx file. In Windows only
the .pfx file contains the certificate and private key. A .cer file contains
just the certificate which is the public key. If you have not seen the link
below it may be helpful. --- Steve

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx

"Griff" <Griff@discussions.microsoft.com> wrote in message
news:7DD40EAE-C1AD-4A2E-9124-1B8F0F9DE277@microsoft.com...
> Steven,
>
> That was helpful.. I am running 2003 standard. Lets say the president of
> the
> company is locking email and files down with his cert. Will he ba able to
> access those protected items with a new cert if it is issued by the same
> CA?
> I have found the client cert renewal process to be troublesome, so I am
> interested in just issuing new ones after the old one expires. Is that an
> option? I am just trying to avoid locking the company out of our reports
> after the year is up....
>
> "Steven L Umbach" wrote:
>
>> First off a client certificate can never expire after a CA certificate so
>> keep than in mind with your planning. For Windows 2000 and Windows 2003
>> Standard version Certificate Authorities the certificates will need to be
>> renewed manually which the users can do themselves if they have been
>> trained
>> to do such. An Enterprise CA that is installed on a Windows 2003
>> Enterprise
>> Server can be configured to renew certificates automatically if you use
>> version 2 templates [configurable copies of version 1 templates] and have
>> enabled autoenrollment for users and/or computers via Group Policy.
>> Windows
>> 2000 does allow automatic request of "computer" certificates only via
>> Group
>> Policy. I am not sure offhand if they will be renewed if the computer
>> certificate expires, though I tend to believe it will. You can also
>> extend
>> the life of most certificates up to two years by configuring the
>> certificate
>> template which can be done via configuration of version 2 templates or
>> editing the registry for version 1 templates. -- Steve
>>
>>
>> "Griff" <Griff@discussions.microsoft.com> wrote in message
>> news:991E7558-988F-48BE-A907-4C8391F3E966@microsoft.com...
>> >I have a very basic security question. If I set up a root CA for my
>> >domain
>> > and begin handing out all kinds of certs that expire in a year. Do I
>> > have
>> > to
>> > keep renewing those client certs every year or will they automatically
>> > pull
>> > down a new one upon expiration?
>> >
>> > Or do I just need to assure that my Root Cert doesn't expire before
>> > being
>> > renewed?
>> >
>> >
>>
>>
>>

Relevant Pages

  • Re: Generate/Export PKCS #12 certificate from Win2k3 CA
    ... import/export the issuing CA certificate to the trusted root certificate ... Just clicking a .cer or .pfx file will ... When you export the private key you will need to use a password to protect ... authentication and if your VPN client is l2tp you probably need a "computer" ...
    (microsoft.public.windows.server.general)
  • Re: Generate/Export PKCS #12 certificate from Win2k3 CA
    ... import/export the issuing CA certificate to the trusted root certificate ... Just clicking a .cer or .pfx file will ... When you export the private key you will need to use a password to protect ... authentication and if your VPN client is l2tp you probably need a "computer" ...
    (microsoft.public.windows.server.security)
  • Re: Client Certificates
    ... I hope you are talking about exporting the pfx file on the CLIENT machine ... The way PKI certificate generation usually works is the following: ... - CA signs that information (i.e. encrypts the hash of that info with its own private key) ...
    (microsoft.public.security)
  • RE: SIMple SSL question ??
    ... I believe your book is instructing you to keep the private key secure. ... you use the certificate request wizard in IIS to install the cert after it's ... the certificate that's just been installed. ... If an attacker retrievs the SSL certificate, ...
    (microsoft.public.dotnet.security)
  • RE: SIMple SSL question ??
    ... I believe your book is instructing you to keep the private key secure. ... you use the certificate request wizard in IIS to install the cert after it's ... the certificate that's just been installed. ... If an attacker retrievs the SSL certificate, ...
    (microsoft.public.dotnet.security)