| Author |
Message |
Griff
Guest
|
 Posted:
Fri Feb 18, 2005 9:33 pm Post subject:
Certificate Renewal Issues |
|
|
I am going to be implementing Enterprise and Subordinate CA's to encrypt
executive email. We archive everything and I wanted to know what happens when
their certs expire and they are issued new ones. Will they not be able to get
into the archived messages. What are the ramifications of not handling this
right? Any help or advice would be great. Thanks |
|
| Back to top |
|
 |
Steven L Umbach
Guest
|
| Posted:
Sat Feb 19, 2005 6:37 am Post subject:
Re: Certificate Renewal Issues |
|
|
If you renew the certificate with new private key they will only be able to
open the old archived massages with the old certificate/private key that was
used to create them. You can renew a certificate with the same private key
if you want and it suits your security requirements. In general if you
create the certificate with a longer key length, and all else being equal,
you can use it for a longer period of time either by extending the
expiration date and/or renewing it with the same private key. Also make sure
that these users have exported their certificates/privates keys to a
password protected .pfx file for safe keeping including offsite. --- Steve
"Griff" <Griff@discussions.microsoft.com> wrote in message
news:F50AE3BD-7DBF-4E74-87E4-EC5D1111A5A0@microsoft.com...
| Quote: | I am going to be implementing Enterprise and Subordinate CA's to encrypt
executive email. We archive everything and I wanted to know what happens
when
their certs expire and they are issued new ones. Will they not be able to
get
into the archived messages. What are the ramifications of not handling
this
right? Any help or advice would be great. Thanks |
|
|
| Back to top |
|
|
Griff
Guest
|
| Posted:
Mon Feb 21, 2005 7:21 pm Post subject:
Re: Certificate Renewal Issues |
|
|
Steven,
First let me say thank you very much. I have been trying to lengthen the
expiration date but can't seem to make that work. Is the only way to do this
through making a larger key? Thanks again.
"Steven L Umbach" wrote:
| Quote: | If you renew the certificate with new private key they will only be able to
open the old archived massages with the old certificate/private key that was
used to create them. You can renew a certificate with the same private key
if you want and it suits your security requirements. In general if you
create the certificate with a longer key length, and all else being equal,
you can use it for a longer period of time either by extending the
expiration date and/or renewing it with the same private key. Also make sure
that these users have exported their certificates/privates keys to a
password protected .pfx file for safe keeping including offsite. --- Steve
"Griff" <Griff@discussions.microsoft.com> wrote in message
news:F50AE3BD-7DBF-4E74-87E4-EC5D1111A5A0@microsoft.com...
I am going to be implementing Enterprise and Subordinate CA's to encrypt
executive email. We archive everything and I wanted to know what happens
when
their certs expire and they are issued new ones. Will they not be able to
get
into the archived messages. What are the ramifications of not handling
this
right? Any help or advice would be great. Thanks
|
|
|
| Back to top |
|
|
Griff
Guest
|
| Posted:
Mon Feb 21, 2005 7:41 pm Post subject:
Re: Certificate Renewal Issues |
|
|
I also wnated to ask when and where do I lengthen the key to extend the life
of the cert.? Can I do this after the PKI infrastructure is in place? If I
have just used the PKI to deploy test certs, are there any ramifications in
removing the certificate services and starting over? I have less than a week
left to deploy this thing, and if it is wrong or bites me later down the road
than it is bye bye for me..so I really appreciate any help.....
"Steven L Umbach" wrote:
| Quote: | If you renew the certificate with new private key they will only be able to
open the old archived massages with the old certificate/private key that was
used to create them. You can renew a certificate with the same private key
if you want and it suits your security requirements. In general if you
create the certificate with a longer key length, and all else being equal,
you can use it for a longer period of time either by extending the
expiration date and/or renewing it with the same private key. Also make sure
that these users have exported their certificates/privates keys to a
password protected .pfx file for safe keeping including offsite. --- Steve
"Griff" <Griff@discussions.microsoft.com> wrote in message
news:F50AE3BD-7DBF-4E74-87E4-EC5D1111A5A0@microsoft.com...
I am going to be implementing Enterprise and Subordinate CA's to encrypt
executive email. We archive everything and I wanted to know what happens
when
their certs expire and they are issued new ones. Will they not be able to
get
into the archived messages. What are the ramifications of not handling
this
right? Any help or advice would be great. Thanks
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Tue Feb 22, 2005 6:48 am Post subject:
Re: Certificate Renewal Issues |
|
|
If you are using Windows 2003 Enterprise Server, you can create an
Enterprise CA and use version 2 templates to modify the keylength and
validity period of certificates. You can do such by making a copy of a
similar version one template and then modifying it to your needs. There are
some built in limits AFAIK on templates I have noticed such as two years for
the user template even though you can set the period longer in the template.
The link below explains how to use version 2 templates.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
Though I have not tried it myself, there are registry changes you can make
to a CA to change the validity period of templates it issues if you can not
use version 2 templates. The last link is a general link to Windows 2003
PKI.
http://support.microsoft.com/?id=254632
http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx
"Griff" <Griff@discussions.microsoft.com> wrote in message
news:AE3B7C88-680E-484D-98A8-2350EF3D4E99@microsoft.com...
| Quote: | I also wnated to ask when and where do I lengthen the key to extend the
life
of the cert.? Can I do this after the PKI infrastructure is in place? If I
have just used the PKI to deploy test certs, are there any ramifications
in
removing the certificate services and starting over? I have less than a
week
left to deploy this thing, and if it is wrong or bites me later down the
road
than it is bye bye for me..so I really appreciate any help.....
"Steven L Umbach" wrote:
If you renew the certificate with new private key they will only be able
to
open the old archived massages with the old certificate/private key that
was
used to create them. You can renew a certificate with the same private
key
if you want and it suits your security requirements. In general if you
create the certificate with a longer key length, and all else being
equal,
you can use it for a longer period of time either by extending the
expiration date and/or renewing it with the same private key. Also make
sure
that these users have exported their certificates/privates keys to a
password protected .pfx file for safe keeping including offsite. ---
Steve
"Griff" <Griff@discussions.microsoft.com> wrote in message
news:F50AE3BD-7DBF-4E74-87E4-EC5D1111A5A0@microsoft.com...
I am going to be implementing Enterprise and Subordinate CA's to
encrypt
executive email. We archive everything and I wanted to know what
happens
when
their certs expire and they are issued new ones. Will they not be able
to
get
into the archived messages. What are the ramifications of not handling
this
right? Any help or advice would be great. Thanks
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in