-1

Looking at Windows 10 certificate store, I noticed some expired certificates:

Win certificate store

I wonder:

  • Why does W10 still keeps expired certificates? I thought the were automatically removed after an "expiry grace time".
  • Can all the expired certificates be removed without any side effects?

Thanks in advance

Katsuro Kurosaki
  • 1
  • 1

1 Answers1

0

They are necessary to validate signatures made by expired signing certificates. If the signature is timestamped (there is an indication when the signing occured) it is possible to validate the signature. Timestamp provides information to determine whether the certificate was valid at the signing time. This is why Windows ships a bunch of expired CA certificates.

Crypt32
  • 6,639
  • 1
  • 15
  • 33
  • Thanks for your reply. To my understanding, does this mean that the old certificates are kept in order to have a "trust chain" between the old and the new one, right? – Katsuro Kurosaki Feb 24 '17 at 08:01
  • No, old certs are used to validate signatures whose certificates are expired long ago. – Crypt32 Feb 24 '17 at 11:41