gpgsm and expired certificates

Werner Koch wk at
Sun Oct 27 11:13:32 CET 2013

On Sun, 27 Oct 2013 10:23, pete at said:

> Correct, though it is possible (but usually recommend against) to
> create a new certificate using the same private keypair as before. In

The business model of most CAs is to sell you a subscription by setting
the expiration time very low so that they can ask after a year for
another fee to create a new certificate.  Here it does not make sense to
create a new private key every year.

GnuPG basically does the same by allowing you to prolong the expiration

> I interpreted Werner's comment to mean "In order to decrypt messages
> encrypted to you, you only need a private key. You don't need a valid
> certificate to decrypt old messages that were encrypted to a
> now-expired certificate."




Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list