Re: Root CA Certificate vs Client Cert Expiration

From: MVP (bkomar_at_nospam.identit.ca)
Date: 04/30/05 

Date: Sat, 30 Apr 2005 10:26:52 -0500

Further to Steve's great response...
When you renew a certificate, whether it is with the same key or a new
key pair, the previous version of the certificate is archived if the
request is performed through a renewal process.

This means that the old certificate and private key is still available
to decrypt information encrypted with the public key of the key pair.
When a certificate expires, you cannot use the certificate for "active"
operations (the encryption process), but you still can for the
decryption process.

As Steve stated, make sure that you back up *all* certificates and
private keys, especially for encryption applications such as S/MIME and
EFS, so that you can recover older docs and messages.

Brian

In article <O9ZwiwETFHA.580@TK2MSFTNGP15.phx.gbl>, n9rou@nospam-
comcast.net says...
> When a certificate is renewed you have a couple of options. You can renew it
> with the same private key or with a new private key. Renewing with a new
> private key is the more secure option. If you renew with the same private
> key then "maybe" the same certificate/private key can be used but I am not
> 100 percent sure about that. If you want to pursue that option of renewing
> the same private key you may want to post in an Exchange newsgroup or two to
> see what they have to say about doing such.
>
> Assuming you renew the certificate with a new private key it will not be
> able to be used to decrypt old emails that were encrypted with the now
> expired certificate/private key. The old private key however still can. In
> all cases you should keep the old certificate/private keys and have backups
> of such [ done by the certificate owners] which you can do my exporting them
> [including private key] to a password protected .pfx file. In Windows only
> the .pfx file contains the certificate and private key. A .cer file contains
> just the certificate which is the public key. If you have not seen the link
> below it may be helpful. --- Steve
>
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>
> "Griff" <Griff@discussions.microsoft.com> wrote in message
> news:7DD40EAE-C1AD-4A2E-9124-1B8F0F9DE277@microsoft.com...
> > Steven,
> >
> > That was helpful.. I am running 2003 standard. Lets say the president of
> > the
> > company is locking email and files down with his cert. Will he ba able to
> > access those protected items with a new cert if it is issued by the same
> > CA?
> > I have found the client cert renewal process to be troublesome, so I am
> > interested in just issuing new ones after the old one expires. Is that an
> > option? I am just trying to avoid locking the company out of our reports
> > after the year is up....
> >
> > "Steven L Umbach" wrote:
> >
> >> First off a client certificate can never expire after a CA certificate so
> >> keep than in mind with your planning. For Windows 2000 and Windows 2003
> >> Standard version Certificate Authorities the certificates will need to be
> >> renewed manually which the users can do themselves if they have been
> >> trained
> >> to do such. An Enterprise CA that is installed on a Windows 2003
> >> Enterprise
> >> Server can be configured to renew certificates automatically if you use
> >> version 2 templates [configurable copies of version 1 templates] and have
> >> enabled autoenrollment for users and/or computers via Group Policy.
> >> Windows
> >> 2000 does allow automatic request of "computer" certificates only via
> >> Group
> >> Policy. I am not sure offhand if they will be renewed if the computer 

-- 
==
Brian Komar
MVP - Windows - Security
http://www.identit.ca/blogs/brian

Relevant Pages

  • Re: DRA is Decrypting Files when it shouldnt be!!!
    ... > EFS is allowing the RA to decrypt 200 files that were encrypted BEFORE an RA ... > encryption to get the RA to decrypt encrypted files. ... the default RA certificate was used. ... certificate and private key only when needed). ...
    (microsoft.public.windowsxp.security_admin)
  • Re: EFS and DRA. Admin unable to decrypt
    ... >So the certificate is used to identify the user & the ... EFS encryption key, the system will generate one for him. ... file using *his* private key, because his public key was incorporated ... into the public-key encryption of the FEK. ...
    (microsoft.public.windowsxp.security_admin)
  • Key Recovery and Decryption
    ... I had the encryption key backed up on ... and designating a Data Recovery Agent. ... to install the Administrator's Data Recovery Certificate ... corresponding private key but if I try to export this ...
    (microsoft.public.windowsxp.security_admin)
  • Re: securing folder on external disk(s)
    ... > where the encryption comes in I think). ... > If, as you advices, I'd use the EFS. ... The key is a self-signed certificate that is generated the first time ... them _as long as the private key is unknown_. ...
    (microsoft.public.security)
  • Re: EFS...can it be given to a group or folder ..win2003
    ... If you export a certificate from the Certificates mmc snapin and have the ... private key present, you can export with private key - that will generate a ... This posting is provided "AS IS" with no warranties, and confers no rights. ... >>> encryption, ...
    (microsoft.public.windows.file_system)