Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 988
  • Last Modified:

Renew Certificates on Windows 2003 CA server

Hello. I'm not very familiar with Windows CA server and I have several Code Signing certificates and DC certificates that are set to expire this month. I'm not really sure how to go about renewing these certs. I checked the properties of the CA server under general and there are three CA certificates: Certificate #0, Certificate #1, and Certificate #2. They all have a valid period until 2109. I'm guessing that means the CA server itself is valid until that year? Will the DC and CS certs also be valid until then, or are they going to expire this month as it says they will under the issued certificates folder? Any help would be greatly appreciated!
0
jmchristy
Asked:
jmchristy
  • 7
  • 4
  • 4
  • +1
1 Solution
 
MiniDevoCommented:
Depends, who is the signing CA? Generally, the signing CA (if it's someone like VeriSign, etc.) require that you repurchase your digital certificate to ensure validity and well, make more money.
0
 
jmchristyAuthor Commented:
Sorry I didn't specify that. It is an in-house Code Signing cert. We used MS's CS certificate template from a 2003 CA to sign home grown apps.
0
 
MiniDevoCommented:
Without seeing the digital certificates themselves, you should be okay. If you are worried about expiration, you can always re-certify yourself and set the expiry to 2109 along with your server.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
lamaslanyCommented:
It may be that all of the certificates were issued at the same time rather than the expiry of the issuing CA certificate.  A quick way to check it to look at the 'Valid to' field in the certificate of the issuing CA.  This should be accessible from the Certification Path tab of each certificate.  

You are correct though - an issung CA cannot issue certificates that will be valid beyond the life of the issuing CA's own certificate.
0
 
jmchristyAuthor Commented:
So, even though they're set to expire this month they won't disrupt anything when they pass the expiration date? How would I go about doing a re-certify and setting the expiration date to 2109? I know for Code Signing certs they can only use the default expiration period on 2003, but you can copy the template an extend that time on an Enterprise CA server.
0
 
MiniDevoCommented:
If the certificate expires, it may cause problems for those that are using the programs on Windows machines as this may kick up a security warning that the application's certificate is no longer valid.
0
 
jmchristyAuthor Commented:
lamaslany,

  I checked the Cert Path on the CS cert and it is valid until 2109. So, does that mean that apps published with that particular certificate will still be valid because the issuing CA is valid until 2109, regardless of expiration date on the actual cert?
0
 
jmchristyAuthor Commented:
So, would I have to get the programmer to request a new CS cert and re-sign all of his apps with the new one each year?
0
 
MiniDevoCommented:
For security reasons I would say yes, for ease of use, you could set the valid date to whatever you want as long as it does not exceed the server's date. I would check with your organization's security policy when it comes to CA signing as the yearly signature may be a security policy stipulated by your administration.
0
 
jmchristyAuthor Commented:
It doesn't appear that I can set the valid date on a CS cert past the default validity on a Windows 2003 standard edition server. The way that a programmer request a cert now is through the web "http://servername/certsrv". There doesn't appear to be any place to change how log the issued CS cert is valid, unless I'm looking in the wrong place.
0
 
ParanormasticCryptographic EngineerCommented:
You are probably running into an issue since the last 2 digits of the validity period are 09 (2109 instead of 2009).

Technically, you should be fine if that is when all the certs expire.  That being said - I would heavily recommend testing this on a machine that you can adjust the time setting on and test all applications that use these certificates.  Century bugs are common in software - make sure.  If you come across a problem then contact the vendor(s) to see if they might have a patch available to look at the 4-digit year instead the 2-digit year.

If nothing else, if you test now you will still have a little bit of time to issue new certs with a shorter timeframe - I would recommend not going past 2029 for the expiration date.
0
 
ParanormasticCryptographic EngineerCommented:
and yes, 2029 is a specific recommendation for the top end - or shorter of course.  this is the next time period where a large number of 2-digit softwares will 'flip' to the next 2-digit year to determine what the beginning century is (i.e. right now they would read 1930 for any year ending in 30, and 2029 for any year ending in 29...  in about 15 years they should start updating to change the timeframe to a different number like 59 for the flip).
0
 
jmchristyAuthor Commented:
Okay, I have attached a screen shot of the Code Signing Cert I am referring to. It wasn't purchased through a third party vendor, we issued it from the MS CA to our programmer via the web interface. You're saying that this cert is actually going to expire in 2109?
cert.jpg
0
 
ParanormasticCryptographic EngineerCommented:
I'm not saying its going to expire in 2109 - you did...

From your initial posting:
"They all have a valid period until 2109"
from '24373994'
" I checked the Cert Path on the CS cert and it is valid until 2109. So, does that mean that apps published with that particular certificate will still be valid because the issuing CA is valid until 2109, regardless of expiration date on the actual cert?"

Sorry... apparently this was a typo?

If you look at it in Certificates MMC that should show the proper year.  You can verify by using cmd line "certutil -dump %filename.cer%" and looking for the expiration date there.

If it expires in 2009, yes you need to request a new code signing cert and re-sign the code.  The way to get out of having to do this repeatedly is to have the file also be timestamped as part of the process.  Commercial CAs usually have a timestamping service that comes with their code signing certs, and there are also 3rd party timestamping services you can use - some of them are free but may have a few days turn around time.

Given the short time, I would suggest re-signing it and getting that out there and worry about the time stamping after that for a long term solution.

Sorry about the delay getting back, had a lot of work to do at my real job...
0
 
ParanormasticCryptographic EngineerCommented:
See above posting....
0
 
jmchristyAuthor Commented:
I said that I checked the properties of the CA server and it was set to expire in 2109. The individual certs assigned to DC's and CC were set to expire in 2009.

As I said in my initial post, I'm not very familiar with in-house CA servers. Your final post did answer my question.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 7
  • 4
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now