Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

The organization certificate has expired

Created: 16 Oct 2012 • Updated: 18 Oct 2012 | 5 comments
sel's picture
This issue has been solved. See solution.

I am getting the following message on the PGP Universal Server version 2.9.1

The organization certificate has expired. Please remove, replace, or regenerate it as soon as possible.

I reviewed Article ID: TECH149187 Organization Certificate Expired - PGP Universal Server and would like some answers for the following questions

1. Would it work better to replace Organizational certificate now and let the Organizational key to automatically renew? Or wait until Organizational key to automatically renew (one day before the expiration) and then replace the Organizational certificate?

2. What's the impact to users for both options?

Thanks for the help!

 

Comments 5 CommentsJump to latest comment

mwoj's picture

Hi Sel,

It should not matter, when you want to renew the Org Certficate. The only portion which is taken from the Org Key to generate the Org Certficate is the RSA Key.
Since this is a self signed Certificate there is no instance above which can let the certificate expire sooner than it's own lifetime.

In both cases the impact for the users is, they would get a new User Certificate which becomes as the active one. Existig User Certificates are still available, but will only be used for decrypting emails.

Cheers,
Martin

SOLUTION
sel's picture

Thanks Martin for your response.

My original Org certificate will expire on 10/24/12. I removed the old Org certificate and created a new self-signed but the new expiration date is still 10/24/12. How do I set it to expire one year from today?

Thanks,

SEL

mwoj's picture

Hi Sel,

It appears that the signed Certificate has the end date matching the same date on the Org Key.
In case like you did to renew the Orc Cert now, I assume it has the same end Date you posted like the Org Key.

So your option no.2 would the preferred one.

The problem is that you can't renew the existing Org Key at the time you want, at least in the UI.

There is a workaround for this if you don't want to wait until 10/24/2012.
In case you have SSH access enabled to the Universal Server you could perform follwing command:

pgpkeytool --update-sigs --expire-within 10

This will resign all keys (also Org Key) to the new End Date (which is the lifetime you defined for the Org Key at Installtion point).

Then you can recreate the Org Certificate which should also have the new end date from the Org Key.

Note: Always create a PGP backup before you issuing any SSH commands.

sel's picture

Martin,

My only option right now is to renew in the UI. I was going to wait till 10/23 when the Org key automatically renew itself. It is 10/23 and the Org key still did not renew. Do you have suggestion? 

What's the impact if I let it expire and renew after it is expired?

Thanks,

SEL

mwoj's picture

The cron job that does update the signatures does run every 12 hours starting from 0am. It should renew it latest on 12pm. If not you may want to raise a call on support if access to SSH commandline is not possible from your side.