Renew Certificates on Windows 2003 CA server

Depends, who is the signing CA? Generally, the signing CA (if it's someone like VeriSign, etc.) require that you repurchase your digital certificate to ensure validity and well, make more money.

Sorry I didn't specify that. It is an in-house Code Signing cert. We used MS's CS certificate template from a 2003 CA to sign home grown apps.

Without seeing the digital certificates themselves, you should be okay. If you are worried about expiration, you can always re-certify yourself and set the expiry to 2109 along with your server.

It may be that all of the certificates were issued at the same time rather than the expiry of the issuing CA certificate.  A quick way to check it to look at the 'Valid to' field in the certificate of the issuing CA.  This should be accessible from the Certification Path tab of each certificate.  

You are correct though - an issung CA cannot issue certificates that will be valid beyond the life of the issuing CA's own certificate.

So, even though they're set to expire this month they won't disrupt anything when they pass the expiration date? How would I go about doing a re-certify and setting the expiration date to 2109? I know for Code Signing certs they can only use the default expiration period on 2003, but you can copy the template an extend that time on an Enterprise CA server.

If the certificate expires, it may cause problems for those that are using the programs on Windows machines as this may kick up a security warning that the application's certificate is no longer valid.

lamaslany,

  I checked the Cert Path on the CS cert and it is valid until 2109. So, does that mean that apps published with that particular certificate will still be valid because the issuing CA is valid until 2109, regardless of expiration date on the actual cert?

So, would I have to get the programmer to request a new CS cert and re-sign all of his apps with the new one each year?

For security reasons I would say yes, for ease of use, you could set the valid date to whatever you want as long as it does not exceed the server's date. I would check with your organization's security policy when it comes to CA signing as the yearly signature may be a security policy stipulated by your administration.

It doesn't appear that I can set the valid date on a CS cert past the default validity on a Windows 2003 standard edition server. The way that a programmer request a cert now is through the web "http://servername/certsrv". There doesn't appear to be any place to change how log the issued CS cert is valid, unless I'm looking in the wrong place.

You are probably running into an issue since the last 2 digits of the validity period are 09 (2109 instead of 2009).

Technically, you should be fine if that is when all the certs expire.  That being said - I would heavily recommend testing this on a machine that you can adjust the time setting on and test all applications that use these certificates.  Century bugs are common in software - make sure.  If you come across a problem then contact the vendor(s) to see if they might have a patch available to look at the 4-digit year instead the 2-digit year.

If nothing else, if you test now you will still have a little bit of time to issue new certs with a shorter timeframe - I would recommend not going past 2029 for the expiration date.

and yes, 2029 is a specific recommendation for the top end - or shorter of course.  this is the next time period where a large number of 2-digit softwares will 'flip' to the next 2-digit year to determine what the beginning century is (i.e. right now they would read 1930 for any year ending in 30, and 2029 for any year ending in 29...  in about 15 years they should start updating to change the timeframe to a different number like 59 for the flip).

Okay, I have attached a screen shot of the Code Signing Cert I am referring to. It wasn't purchased through a third party vendor, we issued it from the MS CA to our programmer via the web interface. You're saying that this cert is actually going to expire in 2109?
cert.jpg

See above posting....

I said that I checked the properties of the CA server and it was set to expire in 2109. The individual certs assigned to DC's and CC were set to expire in 2009.

As I said in my initial post, I'm not very familiar with in-house CA servers. Your final post did answer my question.