Self-signed certificate becomes invalid after some time

1

I have a web site hosted on IIS webserver. I've created a self-signed certificate for the web site and installed on a client machine. When I install the certificate to a client machine, I can establish trusted connection between the client and the web site. But there's this problem that after some time -which is approximately something like 2 weeks- the certificate installed in the client becomes invalid and I can no longer make SSL connection. Just reinstalling the same certificate helps shoot away the problem. Do you have any idea why would this happen? What should I do to prevent this?

EDIT: The client runs Windows7. Browser is Google Chrome. When I say reinstalling, I mean on the client machine and by adding it to the trusted root. It happens about every 2 weeks.

EDIT2: I've just realized that the error message is generated from a windows app that my web application uses to sign documents electronically. So it's not related to a browser.

Mikayil Abdullayev

Posted 2016-06-07T11:12:28.557

Reputation: 111

When you go to reinstall it, does the old certificate still show up in the trusted root or is it gone? – mikeazo – 2016-06-07T12:11:42.647

When I reinstall it, it overrides the old one. So there's always only one piece of that certificate in the store. BTW, that link you pointed out to seems to be helpful. – Mikayil Abdullayev – 2016-06-07T12:19:14.280

The link I posted was lost in migration. But this was the unhelpful link. Adding so that others don't have to.

– mikeazo – 2016-06-07T12:33:09.970

Does the problem only happen in Chrome or other browsers too? – mikeazo – 2016-06-07T12:33:23.643

Tested on Chrome, Firefox. Both yield the same result. – Mikayil Abdullayev – 2016-06-07T12:35:03.693

1Firefox does not care about the Windows cert stores. It has its own independent cert management. Chrome however uses the OS facilities. What is the error message you get in Chrome and IExplore? – StackzOfZtuff – 2016-06-07T13:51:06.983

As I mentioned in my edit, the error generates in a windows service. It says Could not establish trust relationship for the SSL/TLS secure channel with authority. – Mikayil Abdullayev – 2016-06-09T05:38:39.447

Answers

1

The X.509 standard (https://en.wikipedia.org/wiki/X.509) defines how certificates have to look like and there is a mandatory field defining how long a cert should be valid.

Not sure how you created the cert (maybe from IIS management panel?). But I guess your tool just chooses a short lifetime for you cert by default. Either find a way to create a long living cert (like a year or more) with your current tool or use openssl to create it by hand (see https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl) so you can explicitly choose the lifetime of your certificate.

Thekwasti

Posted 2016-06-07T11:12:28.557

Reputation:

If he is only reinstalling the same certificate on the client (not on the server), then the expiration date is most definitely not the issue. Hence one of the questions in my comment.

– mikeazo – 2016-06-07T11:53:02.003

1True. He now elaborated on this. – None – 2016-06-07T11:56:33.053

Asked: 2016-06-07T11:12:28.557

Viewed: 159 times

Active: 2016-06-08T12:53:19.030