What is the best practice to handle expiring S/MIME mail certificates

Jürgen Depicker

11/15/23, 3:33 PM

where can I find info regarding the proper way to handle expiring mail certificates?

Here's the problem: our certificates for digitally signing mails expire after a year. If, a week before expiry, I revoke a certificate and create a new one, Outlook complains whenever I open an older mail, signed with a now revoked certificate.

I think this shouldn't be so, since the old mail was signed at a time when the certificate hadn't been revoked yet, so I would think the signature is still perfectly valid. The revoke has a date, so signatures made AFTER the revoke should be invalid, others not. Maybe I'm wrong :-).

Do I need to let the certificate expire, and only then create a new one, without revoke, to prevent Outlook warning me about invalid signatures?

Thanks for your help!

229

2 + 0

certificate

outlook

smime

crl

Score:1

Server

not2savvy

11/15/23, 7:11 PM

You should not revoke the certificate.

Why?

There is a difference between an expired certificate and a revoked certificate. An expired certificate is just that: expired. It is still regarded valid for signatures before the expiration.

A revoked certificate, on the other hand, is considered invalid, because you normally revoke certificates if they have been abused or could be, for example because their private key has been leaked. Since there is no way to specify since when a certificate has been compromised (which would usually be before the revocation date and often it is not even known), revoked certificates are not considered valid any more at all.

That is why you should not revoke your certificate (there is no need to do so anyway), but rather just let them expire. That does not hinder you from creating a new certificate before the old one has expired. You can do so and just start using it while the old one is still valid.

+ 0

Score:0

Server

Joy Zhang

11/16/23, 2:00 AM

As far as I know, an expired, revoked, or untrusted certificate will remain usable for cryptographic purposes. The emails will be still readable, but the mail client should warn you that the certificate has expired or ask you for confirmation to open it.

Here's a blog on FAQ: Expired S/MIME Certificates for your reference.

+ 1

not2savvy

11/16/23, 8:14 AM

That's not quite correct as far as emails are concerned that have been signed _before the expiration_ of the certificate. Quoted from the FAQ you link to: _"As long as you signed an email message within the validity period of your S/MIME certificate, your recipient’s email client software should continue to trust it after the certificate itself expires."_

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: What is the best practice to handle expiring S/MIME mail certificates

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.