How to renew an expiring free Secure Email Certificate?

[Guest]

[Chan]

(1) How to renew a free Secure Email Certificate when it is expiring in a year?
(2) Must the free Secure Email Certificate be renewed before it expires?

(3) Can a separate new free Secure Email Certificate be used on the same old email account?
(3a) Can I still read the old received emails what were encrypted with my old expired Secure Email Certificate's digital signature?
(3b) Would my contacts who have received my old Secure Email Certificate be confused by the new Secure Email Certificate?

Is there paper that talks about issues of renewing or replacing an earlier Secure Email Certificate  or on multiple Certificates/Digital Signatures used from time to time on the same email account?

[garry]

Hi,

Yes, you can renew before the old one expires.
You can do this through www.instantssl.com

You will need to have both the old certificate and new one on the machine.
The old one is needed to read emails that people encrypted when sending to you.
And, you will need to distribute the new certificate to the people you want to send you encrypted emails, asking them to update the entry in their address books (so the certificate to use is updated).

Garry

[Chan]

Dear Garry,
Thank you for your prompt reply and help.  Please help further clear my confusion or worry:

If I can renew before the old one expires, then I can have more than one email certificates associated with the same (my) email account.

(1a) Can a Certificate Store, such as IE's Certificate Manager, accept and manage more than one certificates Issue to the same person under the same email account? 
(1b) If I digital sign an outgoing email, which of my digital signatures in the IE's Certificate Store will be selected and used by Outlook Express?


(2a) Would my contacts who have received my old Secure Email Certificate be confused by the new Secure Email Certificate?
(2b) Because the old and new Secure Email Certificates were issued to the same person, how do the my contacts' (recipients') know whether to add the new certificate without deleting the old certificate's information or to replace the old certificate?
(3b) If my contacts email me encrypted emails, how do I know which of my certificates they were using to encrypt the emails?  and how do I know and specify to OE which certificate to decipher the incoming email?

Best regards,
Chan

[garry]

Hi,

To address each question:

1a. The answer is yes, I have that on my PC
1b. You would configure your Outlook security setting to point to the certificate you want to use

2a. You just need to ask them to update the entry for you in their address book when you send the signed email......tell them you have a new certificate
2b. They need to replace the old certificate, or they could delete you from their address bokk and add you again with the new certificate
3b. As long as you have the old certificate installed you don't need to specify which one, you only specify which certificate to sign with, not which one to decrypt with.

Garry

[Chan]

Dear Garry,
Thank you for your patient and kind clarifications.   To make sure I learn the concept correctly, please check my following understanding is correct:

(1) RENEW a Secure Email Certificate is NOT simply extending the expiration date while keeping the current Certificate's private and public keys.  RENEWing is actually getting a complete new Certificate with its own new pair of private and public keys.

(2) In order to read any old encrypted emails from my archive, I must keep all the expired Certificates otherwise I could not read them even with a current valid Certificate.

(3) However, the recipients of my digital signed emails do not and CANNOT keep any of my expired Certificates because they MUST update the Certificate of my email address in their address book with the most current one sent to them in my digital signed email. 
(Q1: Would the IE's or OE's Certificate Manager automatically replace the existing Certificate in the recipient's address book with the new one as soon as he/she open my new incoming email with the new digital signature?)

(4) If I have more than one email accounts and addresses in the Outlook Express, and IE's Certificates Manager is managing all the Certificates for OE.  I can have more than one current (not expired) Certificates with each associated with a particular email address.  As time goes by, I may have tens or even hundred of Certificates in the IE Certificate Store and the IE Certificates Manager can somehow know which one to use without me to worry about it or remember which one is for what.

(5) Because the way the Standards have been specified (and not a limitation of the implementation), all Secure Email Certificates in the whole world, no matter whose implementations, are NOT renewable in the sense of just extending the expiration date while keeping the original public and private key pair.

(6) Lastly, to "renew" the current Certificate, I need to go back to "Free Secure Email Certificate:", http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html web page to apply a brand new Certificate independent from the current one but with the same email address registration in both the new and current Certificate

Q2: Am I correct on all the above understandings of the Secure Email Certificates?

If my understanding is correct, let me take the opportunity to say thank you again, my teacher.   If I am still not getting it, please bear with me.

If there is a way, please give me more specific step-by-step instructions on
Q3: how can I RENEW my current Secure Email Certificate before its expiration through www.instantssl.com by extending its expiration date while keeping its original public and private keys?

Moreover, I could not find any topic in the COMODO Knowledge Base talks about the concept.  It may be a good idea and beneficial to others to add a topic of what you have just taught me in the Secure Email Certificates Knowledge Base.

Best regards,
Chan

[garry]

Hi,

The answer to 1 and 2 is yes you are correct.

For 3, you are correct that they must update the certificate they hold for your ID.
The process is not automatic, it must be done manually.
If you try to add a contact to an address book which already exists you get a message asking if you want to 'update' the entry.

For 4, yes as time goes by you could have a lot of expired certificates.
And yes, it will know which certificate to use to decrypt the message, thats why you need to keep them.

For 5, expiration dates are hard coded into the certificate, so once expiry is reached it must be renewed with a new certificate.

For 6, yes you are correct.

The one article you might want to read is this one:
https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=223&nav=0,32

Hope this helps.............. 

Garry

[hazelp]

I'm new to email certificates and still trying to get the one I recently obtained to work properly.  Ran across this thread while troubleshooting. 

I note the last post was in March 2007, more than 2 years ago.  Is the content above still accurate?  In particular, is it still the case that free certificates expire after 12 months and cannot be renewed, but must be replaced?   (Sorry, Comodo, but in normal English usage the word "renew" means to extend, refresh, or restore; it does not mean replace.  The only place I've seen it used to mean replace is in a Mercedes factory service manual, which is obviously an incorrect translation from German to English.)

If so, this creates a huge inconvenience to users who wish to use encrypted email with more than a handful of correspondents.  If I have, say, 100 people I communicate with using encrypted email, I must send all of them my new certificate once a year, with instructions how to manually install it (and not delete the old one)--which will vary depending on what OS and email system each one uses--and each of them must do the same with every person they communicate with, etc.  A fair question is whether it's even worth it to use a free Comodo certificate versus manually creating your own key set using PGP or GnuGP.  That's a little more work up front, but at least you can make keys that don't expire every year.

Thoughts?  Advice?

H

[gordon2008]

Hi,

Please submit the ticket in the following link, our support team will reply back to you
http://support.comodo.com/index.php?_m=tickets&_a=submit

[recaminha]

Hi,

I also have a concern about renewing the free Secure Email Certificate.

I have issued and installed a Secure Email Certificate and it is working very well. But I tried to issue a second Certificate for the same email address (in order to simulate what I'll have to do within a year, when the current certificate is gonna expire) but I got the following error message:

"A Secure Email Certificate has already been issued for this email address!"

Why did I get this error message? Can or cannot more than one certificate be issued for a certain email address? Does it have to do with the period when the Certificate has been issued?
Can you please help me to clarify this issue?

Thanks!

-Renata

[Dean S]

Hi Renata,

Thank you for your mail.

Yes, you can not get two free email certificate for the same email id. You can a new email certificate only if the certificate expired or revoked.

Please submit a ticket with the email id for which you are having email certificate and the issue(if any) by visit the given below link

https://support.comodo.com/index.php?_m=tickets&_a=submit

[recaminha]

Dear Dean,

Thank you for your prompt response.

I got one more question regarding your response: is there any difference between when a certificate expires or is revoked? Does a revoked certificate still work to open the old messages certified using it?

Thanks,

-Renata

[Dean S]

Hi


>Does a revoked certificate still work to open the old messages certified using it?

Yes. you can read the encrypted old mails using the revoked certificate. But it should be available in the certificate store of your computer.

[CarlosDMayo]

Anyone still monitoring this thread? I get that a free email certificate must be replaced on expiration. Does this apply to a paid email certificate as well? TIA!

[Dean S]

Anyone still monitoring this thread? I get that a free email certificate must be replaced on expiration.

Yes, you have to apply for  a new free email certificate for the same email address and assign/enable the new certificate in your email client once certificate collection process completed.

 >Does this apply to a paid email certificate as well? TIA!
Yes.

[Tags:]