Need help on "Certificate Expiration" and "Public/Private Key Expiration"

[Pearapon S.]

Dear All,

I am new to PKI System and has tried to read many PKI papers but
still unclear about "Certificate Lifetime/Expiration", "Public/Private
Key LIfetime/Expiration" as the following:

1) How are they different between "Certificate Lifetime/Expiration"
and "Public/Private Key Lifetime/Expiration" ?

2) How can we check whether this Certificate is already expired ? In
information in the Certification itself ?

3) Then how can we check whether the public key (and its Private Key)
that we obtained has already expired ?

4) Where (and how) do we specify the lifetime of "public/private key"
: in CA Server who generate the keys ? Then if the organization allow
thier users to generate his/her public/private key, how we can control
the lifetime of the keys ?

5) If the document had a digital signature signed (correctly) BEFORE
its Certification expired ; when the Certification expired , how can
we (or what is the process that) verify that this document is valid ?

6) Compare the answer in (5) If the document had a digital signature
signed AFTER its Certification expired ; how can we (or what is the
process that) verify that this document is invalid ?

7) How long that we need to keep "Certificate and its public key"
after the "CERTIFICATE" expired in order that we still can verify the
previous documents and their Digital Signature that signed before the
expiration date ?

8) How long that we need to keep "Certificate and its public key"
after the "PUBLIC/PRIVATE KEY" expired in order that we still can
verify the previous documents and their Digital Signature that signed
before the expiration date ?

9) In the case that Public/Private key is already expired Do we need
to put its Certificate into CRL too ?

10) Is there any papers that can explain me about this topic ? Is
there any PKI FAQ that I can read or use as the reference ?

I hope that you can help and clarify these questions for me. Thank you
very much in advance

KInd Regards
Pearapon S.
(e-mail address removed)

 

[Miha Pihler]

Hi,

1st question and answer.
You define certificate lifetime in certificate policy (if we are talking
about Microsoft PKI). Here you can define, that certificate is valid 1 hour,
1 day, 1 year or 100 years. The only limit is lifetime of CA server.
Certificate can't have longer lifetime then it's parent CA server.

2nd question and answer.
You check either public or private key. It will display that certificate is
no longer valid. Here is an example.

http://freeweb.siol.net/mpihler/valid.jpg
http://freeweb.siol.net/mpihler/notvalid.jpg

Note, that I cheated a bit with "notvalid.jpg". I changed system time --
otherwise certificate is still valid.

3rd question and answer.
You can open public key of a person and see if it is still valid.

4th question and answer.
You can only define certificate lifetime when you issue it. This can't be
changed later. Nothing in the certificate can't be changed. If you edit it,
certificate comes invalid (digital signature is not valid any more). If you
use Microsoft PKI, you create templates. Then you assign users permissions.
Users are allowed to see only templates that they have permissions to. This
again means that they can issue themselves only certificate that they have
permissions to.

5th and 6th question and answer.
Depending on program, it can tell if digital signature is not valid any
more, because of timelife or was document changed. Checking the document
validity depends on program that created the document (e.g. Word, Acrobat
Reader, ... etc).

7th question and answer.
You can't use certificate that is not valid. This also means that you can't
sign documents and e-mails.

8th question and answer.
I would say at least as long as root certificate is valid. You will also
need the private keys to decrypt the documents that were encrypted with
these keys. Public any private key pair expire at same time!

9th question and answer.
In general no, but it is up to you (depending on your internal policy).

My advice. Don't just read White peppers. Setup a test domain with CA
servers (hierarchy) and play with it. Issue certificates, create policies,
revoke certificates, sign documents, etc...

Other then that... start here:

Public Key Infrastructure for Windows Server 2003
http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx

Recently there was also book published that I can recommend.

Microsoft® Windows ServerT2003 PKI and Certificate Security
http://www.microsoft.com/mspress/books/6745.asp

Mike