SN 956 - deleting expired CA certs

  • Release Candidate 6
    We are at a “proposed final” true release candidate with nothing known remaining to be changed or fixed. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!



Active member
Sep 19, 2020
I just finished listening to episode 956 and had a thought about deleting expired CA certs.

In the episode, Steve said that expired CA certificates would "never be valid anyway" so removing them should be "error free." I don't think this is true when it comes to code signing. As long as the code was signed (and countersigned by a timestamp server) during the certificate validity period, it is still considered valid even at a future date when the certs have expired.

So I think removing expired CA certs could cause issues.
@drwtsn32: THAT is a really interesting point.

We know that code signing with a timestamp server allows the signed code to be trusted past the expiration date of the signing certificate... But the signing certificate is still a certificate that chains up to a root CA:


I just checked... And while the immediately superior "G4 Code Signing" parent certificate has an expiration date at the end of April, 2036, the two certs it chains up to both expire on November 9th of 2031. That means that this chain will NOT be trusted past that 2031 expiration UNLESS, as you suggest, the signing timestamp is allowed to not only assert that validity of GRC's since-expired certificate, but ALSO the fact that those superior certs were all also valid at that time. And if that's the case, then I suppose that anyone who was being asked to trust this signed code after 2031 would need to have a copy of the chain, or at least any certs that are not in the chain that the code's signature might include, in their root store. But THAT requirement (of keeping expired roots around) seems like a bit of a stretch to me.

Good summary! I haven't actually tested my theory yet. The potential issue occurred to me while listening to the podcast.

It would be very interesting to test the theory by finding an executable signed by (ultimately) a root CA cert that has since expired, then moving that cert to the "untrusted" folder in the Windows Certificate Management mmc, and then testing signature validation of the executable.
  • Like
Reactions: Steve