Why does Windows consider a certificate valid even after its expiration time?

Question

I downloaded Google's Cloud SDK installer today, and upon checking the certificate to validate it, I noticed something strange: the expiration date of the certificate appears to be December 22nd 2019 - over four months from today, April 30th 2020. Despite this, however, Windows displays the certificate as valid and doesn't seem to care that the certificate is past its expiration date.

Screenshot of the certificate details. Notice the expiration date.

What is happening here, then? Why does Windows consider this certificate valid even though it expired four months ago? I was under the impression that certificates can no longer be trusted after they expire, and require a renewal. Is this not the case with software signing?

mti2935 · Accepted Answer · 2020-04-30T09:59:50.960

2

It's OK if the certificate has expired - as long as the timestamped signature on the file that you downloaded was made while the certificate still was valid.

See https://comodosslstore.com/resources/how-to-avoid-code-signing-certificate-expired-issues/ for more info.

edited Apr 30 '20 at 09:59

answered Apr 30 '20 at 09:47

mti2935

19,868
2
45
64

2

Years ago, I wrote a more complete blog post on this subject: https://www.sysadmins.lv/blog-en/digital-signatures.aspx – Crypt32 Apr 30 '20 at 09:54
@Crypt32 well done. Thanks for posting the link to this. – mti2935 Jul 30 '20 at 13:31

Why does Windows consider a certificate valid even after its expiration time?

1 Answers1