2012年11月29日 · Since your time ended up ahead by a month, you probably browsed to a site that was nearing needing to replace their SSL certificate and so your browser thought it invalid. If you changed the time on the server, the server would think it ok, but any clients connecting would have the actual time and reject the certificate as out of date.

Certs in the future would be a serious issue. If the time service is run in-house, the people able to tamper with it are the same (or close) to the ones with an incentive to do so, in order to subvert the trusted device to generate certs in the future. Thus I prefer an independent date/time source. –

2014年5月15日 · Although the certificate has a finite validity period it can be revoked at any time. The act of revocation places the serial number of that certificate into a certificate revocation list (CRL). Each certificate will include a link to a location where the latest CRL has been published by the issuer of that certificate.

Simple version (for managers): Time syncs can prevent replay attacks. Without them, someone could record the packets sent between client and server, decrypt, modify data, then resend the packet stream and no one would be the wiser. But, because decryption takes time, a timestamp (validated on both sides) can indicate that the stream is a 'replay'.

2019年1月17日 · Now I realize that I could use my companies root cert to sign individual certs for all my different applications, however, the problem is, that cert is managed by another department. This other department managing the certs is very overloaded, and relying on them to sign my certs would introduce unacceptable delays in our productivity ...

2025年1月28日 · This means that if signature was created 20 years ago and signing time is embedded in signature, then you can successfully validate signature after signing (or any certificate in its chain) expiration, because code signing validation logic checks if signing certificate was valid at signing time, not validation time.

Thus I removed over 300 Trusted Root certs from my Windows 10 installation and have only 36 left without any issue. I did this because each certificate, even legit ones, increase the attack surface. Importing the entire list is not a reset to default, and is a potential security hazard, however if you want to import the entire list of 400 certs ...

2024年12月3日 · Also note that you need some way to know you can trust the certificate. This usually means having your own CA, generating private/public key pairs, generating a CSR, sending it to the server, knowing (via other means, e.g. user/password) who the user is, signing the cert, sending it back, and having it installed in the user's system.

2019年5月31日 · I am experimenting myself with 2 certs right now. To add a second code signing cert I use /as key of my signtool v8.1. I figured out that the order how you sing your EXE file with your certs leads to different results: If I sign my Exe file with Old, then New certs then SmartScreen doesn't complain (but I am not sure if your new cert gets any rep).

2013年3月5日 · That's what you do when you verify a signature several months/years after the deed. This is a complicated game with time stamps and projecting yourself in the past. The start-of-validity date then plays an important role (although hard to explain in a few paragraphs).