Steven
Sat Apr 30 12:02:16 CDT 2005
Hi Brian.
Thanks for elaborating and I have a question for you if you have the time.
In what cases, if any, does it make sense to renew a certificate with the
same private key for a client certificate?? I know it is a less secure
option. I was messing around with renewal options the other day and found
that for at least EFS and e-mail using outlook express that if I renewed a
certificate with the same private key that the new certificate could not be
used to decrypt EFS files or emails that were encrypted with the "old"
certificate that had the same public key/private key. What is the mechanism
preventing such? Does the application also check for serial number,
thumbprint, or time stamp to make a determination if the certificate/private
key can be used?? I think I read somewhere sometime that renewing a
certificate with the same private key was mostly a decision based on
performance in that it saved cpu cycles because a new key pair did not have
to be generated and maybe that is the only reason to use it? Thanks for any
help. --- Steve
"Brian Komar (MVP)" <bkomar@nospam.identit.ca> wrote in message
news:MPG.1cdd5fa0c0fa71a0989699@msnews.microsoft.com...
> Further to Steve's great response...
> When you renew a certificate, whether it is with the same key or a new
> key pair, the previous version of the certificate is archived if the
> request is performed through a renewal process.
>
> This means that the old certificate and private key is still available
> to decrypt information encrypted with the public key of the key pair.
> When a certificate expires, you cannot use the certificate for "active"
> operations (the encryption process), but you still can for the
> decryption process.
>
> As Steve stated, make sure that you back up *all* certificates and
> private keys, especially for encryption applications such as S/MIME and
> EFS, so that you can recover older docs and messages.
>
> Brian
>
>
> In article <O9ZwiwETFHA.580@TK2MSFTNGP15.phx.gbl>, n9rou@nospam-
> comcast.net says...
>> When a certificate is renewed you have a couple of options. You can renew
>> it
>> with the same private key or with a new private key. Renewing with a new
>> private key is the more secure option. If you renew with the same private
>> key then "maybe" the same certificate/private key can be used but I am
>> not
>> 100 percent sure about that. If you want to pursue that option of
>> renewing
>> the same private key you may want to post in an Exchange newsgroup or two
>> to
>> see what they have to say about doing such.
>>
>> Assuming you renew the certificate with a new private key it will not be
>> able to be used to decrypt old emails that were encrypted with the now
>> expired certificate/private key. The old private key however still can.
>> In
>> all cases you should keep the old certificate/private keys and have
>> backups
>> of such [ done by the certificate owners] which you can do my exporting
>> them
>> [including private key] to a password protected .pfx file. In Windows
>> only
>> the .pfx file contains the certificate and private key. A .cer file
>> contains
>> just the certificate which is the public key. If you have not seen the
>> link
>> below it may be helpful. --- Steve
>>
>>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>
>> "Griff" <Griff@discussions.microsoft.com> wrote in message
>> news:7DD40EAE-C1AD-4A2E-9124-1B8F0F9DE277@microsoft.com...
>> > Steven,
>> >
>> > That was helpful.. I am running 2003 standard. Lets say the president
>> > of
>> > the
>> > company is locking email and files down with his cert. Will he ba able
>> > to
>> > access those protected items with a new cert if it is issued by the
>> > same
>> > CA?
>> > I have found the client cert renewal process to be troublesome, so I am
>> > interested in just issuing new ones after the old one expires. Is that
>> > an
>> > option? I am just trying to avoid locking the company out of our
>> > reports
>> > after the year is up....
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> First off a client certificate can never expire after a CA certificate
>> >> so
>> >> keep than in mind with your planning. For Windows 2000 and Windows
>> >> 2003
>> >> Standard version Certificate Authorities the certificates will need to
>> >> be
>> >> renewed manually which the users can do themselves if they have been
>> >> trained
>> >> to do such. An Enterprise CA that is installed on a Windows 2003
>> >> Enterprise
>> >> Server can be configured to renew certificates automatically if you
>> >> use
>> >> version 2 templates [configurable copies of version 1 templates] and
>> >> have
>> >> enabled autoenrollment for users and/or computers via Group Policy.
>> >> Windows
>> >> 2000 does allow automatic request of "computer" certificates only via
>> >> Group
>> >> Policy. I am not sure offhand if they will be renewed if the computer
>
> --
> ==
> Brian Komar
> MVP - Windows - Security
>
http://www.identit.ca/blogs/brian