Re: Root CA Certificate vs Client Cert Expiration
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 05/02/05
- Previous message: Steven L Umbach: "Re: Cannot authenticate to MS IAS (RADIUS) server using Linksys WAP54G"
- In reply to: MVP: "Re: Root CA Certificate vs Client Cert Expiration"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 2 May 2005 10:39:47 -0500
Thanks Brian. That was very helpful as is your book. :) --- Steve
"Brian Komar (MVP)" <bkomar@nospam.identit.ca> wrote in message
news:MPG.1cdf6e167cda895b98969b@msnews.microsoft.com...
> In article <umhsAXaTFHA.3308@TK2MSFTNGP14.phx.gbl>, n9rou@nospam-
> comcast.net says...
>> Hi Brian.
>>
>> Thanks for elaborating and I have a question for you if you have the
>> time.
>>
>> In what cases, if any, does it make sense to renew a certificate with the
>> same private key for a client certificate?? I know it is a less secure
>> option. I was messing around with renewal options the other day and found
>> that for at least EFS and e-mail using outlook express that if I renewed
>> a
>> certificate with the same private key that the new certificate could not
>> be
>> used to decrypt EFS files or emails that were encrypted with the "old"
>> certificate that had the same public key/private key. What is the
>> mechanism
>> preventing such? Does the application also check for serial number,
>> thumbprint, or time stamp to make a determination if the
>> certificate/private
>> key can be used?? I think I read somewhere sometime that renewing a
>> certificate with the same private key was mostly a decision based on
>> performance in that it saved cpu cycles because a new key pair did not
>> have
>> to be generated and maybe that is the only reason to use it? Thanks for
>> any
>> help. --- Steve
>>
>>
>><snip>
> For client certificates, I would rarely renew with the same key. The
> only circumstance that I could think of would be if a certificate
> template did not have the correct configuration, and you change the
> template, wanting to renew the certificate to have the correct
> information in the certificate. Not very likely (especially if you
> test).
>
> Now with CA certificates, that is a different story. For CA
> certificates, the best practices guide (and my book) recommend renewing
> with the same key pair at half of the CA certificate's lifetime. This
> ensures that the remaining certificate lifetime remaining for the CA
> certificate does not constrain the lifetime of the certificates it
> issues. Then, at the full lifetime of the original cert, renew with a
> new key pair.
>
> I have not done extensive testing with renewing with the same key pair,
> so I really cannot offer much of a response for your other questions. It
> really depends on the app. I know that for encryption, EFS stores the
> thumbprint of the active cert in the registry. I did not believe that
> it was the case for decryption, but I have never tested your scenario.
>
> HTH,
> Brian
- Previous message: Steven L Umbach: "Re: Cannot authenticate to MS IAS (RADIUS) server using Linksys WAP54G"
- In reply to: MVP: "Re: Root CA Certificate vs Client Cert Expiration"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
