Microsoft Outlook: Correctly signed e-mails (S/MIME) are displayed as invalid after the signature certificate expires

Assume the following scenario:

  • A user has received an email message in the past.
  • The message was signed with an S/MIME certificate.
  • The sender's signature certificate was issued by a certification authority that has been granted trust status with the recipient.
  • Thus, the signature was recognized as valid at the time the message was received.
  • The user opens the mail again some time later and finds that the signature is classified as invalid.

If you look at the details of the signatureIf you click on the button , you will see that the signature certificate has started to run.

Error: The certificate used to create this signature is no longer valid. 

Information about the behavior is provided by the RFC 5750which governs the handling of certificates in the context of S/MIME, and the RFC 8551which governs S/MIME in general:

Some of the many places where signature and certificate checking might fail include: [...] the certificate is expired

RFC 5750

When determining the time for a certificate validity check, agents have to be careful to use a reliable time. [...] this time MUST NOT be the SigningTime attribute found in an S/MIME message.

RFC 5750

The signingTime attribute is used to convey the time that a message was signed. The time of signing will most likely be created by a signer and therefore is only as trustworthy as that signer.

RFC 8551

Since with S/MIME there is no signed time stamp (Time Stamp, RFC 3161), there is no way to ensure that a message was really signed at the specified time. Signatures could be backdated by an attacker to make signatures with a certificate that has since been revoked or expired appear valid.

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

For this reason, "historical" mails, i.e. those that were signed with a time-valid certificate at the time of receipt, are no longer classified as signature-valid if the signing certificate has expired.

For the same reason, messages signed by a certificate that has since been revoked are also displayed as not signature valid, even if the revocation occurred after the message was signed.

Related links:

External sources

en_USEnglish