Hi There

This may seem like a stupid question but i am trying to get the hang of the new security model.

Ihave not really heard anything mentioned about certficate expiration date when it comes to creating certificates for keys or service broker endpoints etc.

We have created certificates for keys and service broker endpoints, now what exactly happens when the expiration date, by default 1 year i think is reached, will we no longer be able to decrypt encrypted data and will the service broker endpoints stop working etc ?

Or is this expiration date when the certificate can no longer be used to create security objects ? And all security objects already created with this certificate will always work ?

In other words is there ever danger that keys and endpoints or basically any object referrencing this certificatewill just suddenly stop working one day, or will all objects work indefinately regardless of an certificate/objects expiration date ?

Thanx

The certificate expiration date is not enforced by SQL Server directly. These certificates can still be used for data encrypting, decrypting, signing, verifying signatures or object creation/usage in SQL Server.

Service Broker will honor the expiration date and after a certificate has expired it cannot be used (See “Certificates for Dialog Security�http://msdn2.microsoft.com/en-us/library/ms166117.aspx ). For more information on Service broker usage of certificates I would recommend to visit Service Broker Conversations webpage at http://blogs.msdn.com/remusrusanu/.

While SQL Server itself will not prevent you from using an expired certificate, it is up to the application developers to enforce or suggest the expiration, and use the available usage of expired certificates as a disaster recovery tool rather than as a rule. I strongly recommend generating new certificates to substitute expired ones.

Thanks,

-Raul Garcia

SDE/T

SQL Server Engine

The certificate expiration date is not enforced by SQL Server directly. These certificates can still be used for data encrypting, decrypting, signing, verifying signatures or object creation/usage in SQL Server.

Service Broker will honor the expiration date and after a certificate has expired it cannot be used (See “Certificates for Dialog Security�http://msdn2.microsoft.com/en-us/library/ms166117.aspx ). For more information on Service broker usage of certificates I would recommend to visit Service Broker Conversations webpage at http://blogs.msdn.com/remusrusanu/.

While SQL Server itself will not prevent you from using an expired certificate, it is up to the application developers to enforce or suggest the expiration, and use the available usage of expired certificates as a disaster recovery tool rather than as a rule. I strongly recommend generating new certificates to substitute expired ones.

Thanks,

-Raul Garcia

SDE/T

SQL Server Engine

Hi Raul,

Looking at the datestamp of this thread, is this still valid?

"The certificate expiration date is not enforced by SQL Server directly. These certificates can still be used for data encrypting, decrypting, signing, verifying signatures or object creation/usage in SQL Server. "

Our certificate is about to expire in a month.

Thanks!

Yes. This information is still valid. In any case I would still recommend thinking about regenerating any certificates you may use for encryption (i.e. SYMMETRIC KEY protection), but not because they will stop working.

It is always good to have a policy about the lifetime of cryptographic material, and the longer a key is in use, the greater the chances for an adversary of breaking it.

I hope this information helps,

-Raul Garcia

SDE/T

SQL Server Engine

And to clarify further, Raul's original answer from 2006 continues to be valid and it includes the Service Broker exception that Remus points out.