8889Expired LOTW Production CA Cert
- Feb 1, 2010I recently upgraded my computer and ran into an interesting issue trying to install TQSL and load my Cert on the new box. I had, of course, saved my cert and key as a p12 file so it should have been a piece of cake. But when I attempted to load it into TQSL I got an error message about an expired cert. Since my cert isn't due to expire until 2/21/2010, this led to some head scratching.
I decided to import the p12 into Firefox to see what was going on. What I found was that, although my cert did indeed have an expiration of 2/21/10, the Production CA cert that was used to sign it had expired on 9/23/09. Evidently, TQSL is validating the entire cert chain on import and, since the Production CA cert is invalid, it refuses to load anything below it.
This is, arguably, correct behavior. CAs really shouldn't be signing and issuing certificates that have a validity period that falls outside their own. But knowing that doesn't help me get my cert loaded. :-)
What I ended up doing was suggested by some earlier posts in this group. (Thanks!) I set my computer clock back to before the Production CA cert had expired. That allowed the import to complete successfully, after which I reset the clock to the actual date. Fortunately for me, TQSL seems not to care about validating the Production CA cert after the initial import is done. That seems a bit sloppy from a PKI point of view, but it works to my benefit here.
So, bottom line, if you're trying to import what should be a valid p12 file and you're getting expired cert messages, it might be the intermediate CA cert that's expired, not your individual cert. In that case, resetting your computer clock to a date/time when all the certs in the chain were valid (shortly after cert creation seems a good bet) should fix the problem. And don't forget to set it back afterwards!
- Next post in topic >>