On Friday 14 March 2008, Patrick Patterson wrote: > Hi Mick: > > On Friday 14 March 2008 16:43:28 Mick wrote: > > Hi All, > > > > I am not sure what happens under the following scenario. I use an SSL > > certificate (e.g. from CaCert.org) to encrypt and sign a file and or an > > email message. Later on the certificate expires. I renew the > > certificate, load it up on my browser/mail client. > > > > Can I then use my mail client to decrypt and read the file and message > > that I encrypted previously, with the since expired cert? > > Actually, what you care about are the keys associated with the certificate. > For encryption, you've got content that is encrypted with the public key, > and decryptable only with the private key. Since the certificate is your > public key signed by some Certificate Authority or other (or, itself), then > after the certificate expires, most software will not let you or others > encrypt things with that public key. However, since you are still in > possession of the private key, you should still be able to decrypt > everything just fine. > > Now, if you get a new certificate, most of the time, that will mean that > you generated a new private/public key pair, and had the new public key > signed by a CA. So, you will now have 2 private keys to protect - the one > used to decrypt old content, and the one used to decrypt new content. Some > people decide that having two keys to protect is a bad thing, and they just > simply decrypt all of the old data with the old private key, and re-encrypt > it with the new public key, after which they destroy their old private key. > How you manage this is largely a matter of policy (either the CA's, your > company's, or your own personal policy). > > Hope that helps clear things up.
Yes it does. Keeping the same private key and generating new public key with it seems to be a sensible thing to do from a practical point of view. Thank you very much. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.