Root CA Certificate vs Client Cert Expiration

Discussion in 'Security Software' started by Griff, Apr 28, 2005.

  1. Griff

    Griff Guest

    I have a very basic security question. If I set up a root CA for my domain
    and begin handing out all kinds of certs that expire in a year. Do I have to
    keep renewing those client certs every year or will they automatically pull
    down a new one upon expiration?

    Or do I just need to assure that my Root Cert doesn't expire before being
    renewed?
     
    Griff, Apr 28, 2005
    #1
    1. Advertisements

  2. First off a client certificate can never expire after a CA certificate so
    keep than in mind with your planning. For Windows 2000 and Windows 2003
    Standard version Certificate Authorities the certificates will need to be
    renewed manually which the users can do themselves if they have been trained
    to do such. An Enterprise CA that is installed on a Windows 2003 Enterprise
    Server can be configured to renew certificates automatically if you use
    version 2 templates [configurable copies of version 1 templates] and have
    enabled autoenrollment for users and/or computers via Group Policy. Windows
    2000 does allow automatic request of "computer" certificates only via Group
    Policy. I am not sure offhand if they will be renewed if the computer
    certificate expires, though I tend to believe it will. You can also extend
    the life of most certificates up to two years by configuring the certificate
    template which can be done via configuration of version 2 templates or
    editing the registry for version 1 templates. -- Steve
     
    Steven L Umbach, Apr 28, 2005
    #2
    1. Advertisements

  3. Griff

    Griff Guest

    Steven,

    That was helpful.. I am running 2003 standard. Lets say the president of the
    company is locking email and files down with his cert. Will he ba able to
    access those protected items with a new cert if it is issued by the same CA?
    I have found the client cert renewal process to be troublesome, so I am
    interested in just issuing new ones after the old one expires. Is that an
    option? I am just trying to avoid locking the company out of our reports
    after the year is up....

     
    Griff, Apr 28, 2005
    #3
  4. When a certificate is renewed you have a couple of options. You can renew it
    with the same private key or with a new private key. Renewing with a new
    private key is the more secure option. If you renew with the same private
    key then "maybe" the same certificate/private key can be used but I am not
    100 percent sure about that. If you want to pursue that option of renewing
    the same private key you may want to post in an Exchange newsgroup or two to
    see what they have to say about doing such.

    Assuming you renew the certificate with a new private key it will not be
    able to be used to decrypt old emails that were encrypted with the now
    expired certificate/private key. The old private key however still can. In
    all cases you should keep the old certificate/private keys and have backups
    of such [ done by the certificate owners] which you can do my exporting them
    [including private key] to a password protected .pfx file. In Windows only
    the .pfx file contains the certificate and private key. A .cer file contains
    just the certificate which is the public key. If you have not seen the link
    below it may be helpful. --- Steve

    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx

     
    Steven L Umbach, Apr 29, 2005
    #4
  5. Further to Steve's great response...
    When you renew a certificate, whether it is with the same key or a new
    key pair, the previous version of the certificate is archived if the
    request is performed through a renewal process.

    This means that the old certificate and private key is still available
    to decrypt information encrypted with the public key of the key pair.
    When a certificate expires, you cannot use the certificate for "active"
    operations (the encryption process), but you still can for the
    decryption process.

    As Steve stated, make sure that you back up *all* certificates and
    private keys, especially for encryption applications such as S/MIME and
    EFS, so that you can recover older docs and messages.

    Brian


     
    Brian Komar (MVP), Apr 30, 2005
    #5
  6. Hi Brian.

    Thanks for elaborating and I have a question for you if you have the time.

    In what cases, if any, does it make sense to renew a certificate with the
    same private key for a client certificate?? I know it is a less secure
    option. I was messing around with renewal options the other day and found
    that for at least EFS and e-mail using outlook express that if I renewed a
    certificate with the same private key that the new certificate could not be
    used to decrypt EFS files or emails that were encrypted with the "old"
    certificate that had the same public key/private key. What is the mechanism
    preventing such? Does the application also check for serial number,
    thumbprint, or time stamp to make a determination if the certificate/private
    key can be used?? I think I read somewhere sometime that renewing a
    certificate with the same private key was mostly a decision based on
    performance in that it saved cpu cycles because a new key pair did not have
    to be generated and maybe that is the only reason to use it? Thanks for any
    help. --- Steve


     
    Steven L Umbach, Apr 30, 2005
    #6
  7. For client certificates, I would rarely renew with the same key. The
    only circumstance that I could think of would be if a certificate
    template did not have the correct configuration, and you change the
    template, wanting to renew the certificate to have the correct
    information in the certificate. Not very likely (especially if you
    test).

    Now with CA certificates, that is a different story. For CA
    certificates, the best practices guide (and my book) recommend renewing
    with the same key pair at half of the CA certificate's lifetime. This
    ensures that the remaining certificate lifetime remaining for the CA
    certificate does not constrain the lifetime of the certificates it
    issues. Then, at the full lifetime of the original cert, renew with a
    new key pair.

    I have not done extensive testing with renewing with the same key pair,
    so I really cannot offer much of a response for your other questions. It
    really depends on the app. I know that for encryption, EFS stores the
    thumbprint of the active cert in the registry. I did not believe that
    it was the case for decryption, but I have never tested your scenario.

    HTH,
    Brian
     
    Brian Komar (MVP), May 2, 2005
    #7
  8. Thanks Brian. That was very helpful as is your book. :) --- Steve
     
    Steven L Umbach, May 2, 2005
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.