Hi Mick: On Friday 14 March 2008 16:43:28 Mick wrote: > Hi All, > > I am not sure what happens under the following scenario. I use an SSL > certificate (e.g. from CaCert.org) to encrypt and sign a file and or an > email message. Later on the certificate expires. I renew the certificate, > load it up on my browser/mail client. > > Can I then use my mail client to decrypt and read the file and message that > I encrypted previously, with the since expired cert?
Actually, what you care about are the keys associated with the certificate. For encryption, you've got content that is encrypted with the public key, and decryptable only with the private key. Since the certificate is your public key signed by some Certificate Authority or other (or, itself), then after the certificate expires, most software will not let you or others encrypt things with that public key. However, since you are still in possession of the private key, you should still be able to decrypt everything just fine. Now, if you get a new certificate, most of the time, that will mean that you generated a new private/public key pair, and had the new public key signed by a CA. So, you will now have 2 private keys to protect - the one used to decrypt old content, and the one used to decrypt new content. Some people decide that having two keys to protect is a bad thing, and they just simply decrypt all of the old data with the old private key, and re-encrypt it with the new public key, after which they destroy their old private key. How you manage this is largely a matter of policy (either the CA's, your company's, or your own personal policy). Hope that helps clear things up. --- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
