1

In our environment, we provide user certificates to sign or encrypt emails. This is an internal setting, meaning the CA is internal to our organization (not a public CA) and handled by our Active Directory PKI.

User certificates are emitted with a duration of one year and automatically renewed by the PKI.

There is however a side effect in Outlook: Whenever a user open an email that was signed or encrypted by a certificate that has since expired, Outlook do not check to see if said certificate has been renewed and issue a warning message stating that the certificate is invalid requiring the user to force the displaying of the message and ignore the warnings.

Outlook Error Message

This is a very bad thing for user education and awareness ("ignore Outlook certificate warnings...")

Given I did not found a way for Outlook to behave properly, I am considering an alternate solution: Issue certificates with unlimited (very long) duration, this way a user certificate will become invalid only after revocation by the PKI (when the user leaves the organization).

This looks like an appropriate policy, but are there any side effects? I did not found any recommendations / best practices by Microsoft so I am wondering if others have experience with this setting and if it is useful to set expiry date for internal user certificates.

Samuel
  • 153
  • 7

1 Answers1

1

The reason for the certificate's current invalidity is not relevant. If Outlook, or any client software, presents a different conclusion regarding the validity of a signature from either type of certificate (expired, or revoked) then the software is broken and a bug report should be filed with the vendor.

If the signature was made while the certificate was valid, then the signature should (IMnsHO) be accepted as valid; if the signature was made after the certificate became invalid, then the signature must not be accepted as valid. The tricky bit is establishing when the signature was made relative to the invalidation of the certificate. It's likely that there is no simple solution; I expect something like this proposed distributed timestamp mechanism or this longstanding timestamps-by-email service would be useful.

It's probably going to require more user education in any case.

mlp
  • 546
  • 4
  • 8
  • 1
    I agree with you that Outlook behavior is nonsensical, a mail signed/encrypted when the certificate was valid should still be valid. I did open a bug report for that but do not expect any answer other than "it's not a bug, it's a feature". – Samuel Mar 13 '18 at 09:54