Loading ...
Sorry, an error occurred while loading the content.

Expired LOTW Production CA Cert

Expand Messages
  • joseph_faber
    I recently upgraded my computer and ran into an interesting issue trying to install TQSL and load my Cert on the new box. I had, of course, saved my cert and
    Message 1 of 3 , Feb 1, 2010
    • 0 Attachment
      I recently upgraded my computer and ran into an interesting issue trying to install TQSL and load my Cert on the new box. I had, of course, saved my cert and key as a p12 file so it should have been a piece of cake. But when I attempted to load it into TQSL I got an error message about an expired cert. Since my cert isn't due to expire until 2/21/2010, this led to some head scratching.

      I decided to import the p12 into Firefox to see what was going on. What I found was that, although my cert did indeed have an expiration of 2/21/10, the Production CA cert that was used to sign it had expired on 9/23/09. Evidently, TQSL is validating the entire cert chain on import and, since the Production CA cert is invalid, it refuses to load anything below it.

      This is, arguably, correct behavior. CAs really shouldn't be signing and issuing certificates that have a validity period that falls outside their own. But knowing that doesn't help me get my cert loaded. :-)

      What I ended up doing was suggested by some earlier posts in this group. (Thanks!) I set my computer clock back to before the Production CA cert had expired. That allowed the import to complete successfully, after which I reset the clock to the actual date. Fortunately for me, TQSL seems not to care about validating the Production CA cert after the initial import is done. That seems a bit sloppy from a PKI point of view, but it works to my benefit here.

      So, bottom line, if you're trying to import what should be a valid p12 file and you're getting expired cert messages, it might be the intermediate CA cert that's expired, not your individual cert. In that case, resetting your computer clock to a date/time when all the certs in the chain were valid (shortly after cert creation seems a good bet) should fix the problem. And don't forget to set it back afterwards!
    • Peter Laws
      ... ARRL has never admitted this, but you re not the first to figure it out. -- Peter Laws | N5UWY | plaws plaws net | Travel by Train!
      Message 2 of 3 , Feb 2, 2010
      • 0 Attachment
        On Mon, Feb 1, 2010 at 22:48, joseph_faber <no_reply@yahoogroups.com> wrote:

        > I decided to import the p12 into Firefox to see what was going on.  What I found was that, although my cert did indeed have an expiration of 2/21/10, the Production CA cert that was used to sign it had expired on 9/23/09.  Evidently, TQSL is validating the entire cert chain on import and, since the Production CA cert is invalid, it refuses to load anything below it.
        >

        ARRL has never admitted this, but you're not the first to figure it out.


        --
        Peter Laws | N5UWY | plaws plaws net | Travel by Train!
      • James Kirkham
        Thanks for the info Joseph. This apparently is what happened to me as well, but I just ended up requesting a new cert from the ARRL. It wasn t that big of a
        Message 3 of 3 , Feb 2, 2010
        • 0 Attachment
          Thanks for the info Joseph.

          This apparently is what happened to me as well, but I just ended up
          requesting a new cert from the ARRL. It wasn't that big of a deal
          because I got a new one the same day.

          73
          James


          joseph_faber wrote:
          > I recently upgraded my computer and ran into an interesting issue trying to install TQSL and load my Cert on the new box. I had, of course, saved my cert and key as a p12 file so it should have been a piece of cake. But when I attempted to load it into TQSL I got an error message about an expired cert. Since my cert isn't due to expire until 2/21/2010, this led to some head scratching.
          >
          > I decided to import the p12 into Firefox to see what was going on. What I found was that, although my cert did indeed have an expiration of 2/21/10, the Production CA cert that was used to sign it had expired on 9/23/09. Evidently, TQSL is validating the entire cert chain on import and, since the Production CA cert is invalid, it refuses to load anything below it.
          >
          > This is, arguably, correct behavior. CAs really shouldn't be signing and issuing certificates that have a validity period that falls outside their own. But knowing that doesn't help me get my cert loaded. :-)
          >
          > What I ended up doing was suggested by some earlier posts in this group. (Thanks!) I set my computer clock back to before the Production CA cert had expired. That allowed the import to complete successfully, after which I reset the clock to the actual date. Fortunately for me, TQSL seems not to care about validating the Production CA cert after the initial import is done. That seems a bit sloppy from a PKI point of view, but it works to my benefit here.
          >
          > So, bottom line, if you're trying to import what should be a valid p12 file and you're getting expired cert messages, it might be the intermediate CA cert that's expired, not your individual cert. In that case, resetting your computer clock to a date/time when all the certs in the chain were valid (shortly after cert creation seems a good bet) should fix the problem. And don't forget to set it back afterwards!
          >
          >
          >
          > ------------------------------------
          >
          > Yahoo! Groups Links
          >
          >
          >

          --
          73

          James - KD4ERU

          Alexandria, VA
          FM18lt
        Your message has been successfully submitted and would be delivered to recipients shortly.