Solved

Renew Certificates on Windows 2003 CA server

Posted on 2009-05-13
16
953 Views
Last Modified: 2013-12-20
Hello. I'm not very familiar with Windows CA server and I have several Code Signing certificates and DC certificates that are set to expire this month. I'm not really sure how to go about renewing these certs. I checked the properties of the CA server under general and there are three CA certificates: Certificate #0, Certificate #1, and Certificate #2. They all have a valid period until 2109. I'm guessing that means the CA server itself is valid until that year? Will the DC and CS certs also be valid until then, or are they going to expire this month as it says they will under the issued certificates folder? Any help would be greatly appreciated!
0
Comment
Question by:jmchristy
  • 7
  • 4
  • 4
  • +1
16 Comments
 
LVL 10

Expert Comment

by:MiniDevo
Comment Utility
Depends, who is the signing CA? Generally, the signing CA (if it's someone like VeriSign, etc.) require that you repurchase your digital certificate to ensure validity and well, make more money.
0
 

Author Comment

by:jmchristy
Comment Utility
Sorry I didn't specify that. It is an in-house Code Signing cert. We used MS's CS certificate template from a 2003 CA to sign home grown apps.
0
 
LVL 10

Expert Comment

by:MiniDevo
Comment Utility
Without seeing the digital certificates themselves, you should be okay. If you are worried about expiration, you can always re-certify yourself and set the expiry to 2109 along with your server.
0
 
LVL 19

Expert Comment

by:lamaslany
Comment Utility
It may be that all of the certificates were issued at the same time rather than the expiry of the issuing CA certificate.  A quick way to check it to look at the 'Valid to' field in the certificate of the issuing CA.  This should be accessible from the Certification Path tab of each certificate.  

You are correct though - an issung CA cannot issue certificates that will be valid beyond the life of the issuing CA's own certificate.
0
 

Author Comment

by:jmchristy
Comment Utility
So, even though they're set to expire this month they won't disrupt anything when they pass the expiration date? How would I go about doing a re-certify and setting the expiration date to 2109? I know for Code Signing certs they can only use the default expiration period on 2003, but you can copy the template an extend that time on an Enterprise CA server.
0
 
LVL 10

Expert Comment

by:MiniDevo
Comment Utility
If the certificate expires, it may cause problems for those that are using the programs on Windows machines as this may kick up a security warning that the application's certificate is no longer valid.
0
 

Author Comment

by:jmchristy
Comment Utility
lamaslany,

  I checked the Cert Path on the CS cert and it is valid until 2109. So, does that mean that apps published with that particular certificate will still be valid because the issuing CA is valid until 2109, regardless of expiration date on the actual cert?
0
 

Author Comment

by:jmchristy
Comment Utility
So, would I have to get the programmer to request a new CS cert and re-sign all of his apps with the new one each year?
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 10

Expert Comment

by:MiniDevo
Comment Utility
For security reasons I would say yes, for ease of use, you could set the valid date to whatever you want as long as it does not exceed the server's date. I would check with your organization's security policy when it comes to CA signing as the yearly signature may be a security policy stipulated by your administration.
0
 

Author Comment

by:jmchristy
Comment Utility
It doesn't appear that I can set the valid date on a CS cert past the default validity on a Windows 2003 standard edition server. The way that a programmer request a cert now is through the web "http://servername/certsrv". There doesn't appear to be any place to change how log the issued CS cert is valid, unless I'm looking in the wrong place.
0
 
LVL 31

Expert Comment

by:Paranormastic
Comment Utility
You are probably running into an issue since the last 2 digits of the validity period are 09 (2109 instead of 2009).

Technically, you should be fine if that is when all the certs expire.  That being said - I would heavily recommend testing this on a machine that you can adjust the time setting on and test all applications that use these certificates.  Century bugs are common in software - make sure.  If you come across a problem then contact the vendor(s) to see if they might have a patch available to look at the 4-digit year instead the 2-digit year.

If nothing else, if you test now you will still have a little bit of time to issue new certs with a shorter timeframe - I would recommend not going past 2029 for the expiration date.
0
 
LVL 31

Expert Comment

by:Paranormastic
Comment Utility
and yes, 2029 is a specific recommendation for the top end - or shorter of course.  this is the next time period where a large number of 2-digit softwares will 'flip' to the next 2-digit year to determine what the beginning century is (i.e. right now they would read 1930 for any year ending in 30, and 2029 for any year ending in 29...  in about 15 years they should start updating to change the timeframe to a different number like 59 for the flip).
0
 

Author Comment

by:jmchristy
Comment Utility
Okay, I have attached a screen shot of the Code Signing Cert I am referring to. It wasn't purchased through a third party vendor, we issued it from the MS CA to our programmer via the web interface. You're saying that this cert is actually going to expire in 2109?
cert.jpg
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
Comment Utility
I'm not saying its going to expire in 2109 - you did...

From your initial posting:
"They all have a valid period until 2109"
from '24373994'
" I checked the Cert Path on the CS cert and it is valid until 2109. So, does that mean that apps published with that particular certificate will still be valid because the issuing CA is valid until 2109, regardless of expiration date on the actual cert?"

Sorry... apparently this was a typo?

If you look at it in Certificates MMC that should show the proper year.  You can verify by using cmd line "certutil -dump %filename.cer%" and looking for the expiration date there.

If it expires in 2009, yes you need to request a new code signing cert and re-sign the code.  The way to get out of having to do this repeatedly is to have the file also be timestamped as part of the process.  Commercial CAs usually have a timestamping service that comes with their code signing certs, and there are also 3rd party timestamping services you can use - some of them are free but may have a few days turn around time.

Given the short time, I would suggest re-signing it and getting that out there and worry about the time stamping after that for a long term solution.

Sorry about the delay getting back, had a lot of work to do at my real job...
0
 
LVL 31

Expert Comment

by:Paranormastic
Comment Utility
See above posting....
0
 

Author Closing Comment

by:jmchristy
Comment Utility
I said that I checked the properties of the CA server and it was set to expire in 2109. The individual certs assigned to DC's and CC were set to expire in 2009.

As I said in my initial post, I'm not very familiar with in-house CA servers. Your final post did answer my question.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Boost your ability to deliver ambitious and competitive web apps by choosing the right JavaScript framework to best suit your project’s needs.
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
The viewer will learn how to count occurrences of each item in an array.
The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now