locked
Recommended OCS Certificate Expiration Length RRS feed

  • Question

  • Hi

     

    What is the recommended length you should set your certificate to expire

     

    And when a certificate is coming up to its expiration date what steps do you have to take to renew them and is this process seamless to the customer.

     

    Thanks

     

    Dhiren

     

    Thursday, February 14, 2008 9:03 AM

Answers

  • There is no officially recommended expiration length.  Generally this is 1-2 years.  The key is to monitor for the right event:

     

    Event Type: Warning
    Event Source: OCS Protocol Stack
    Event Category: (1001)
    Event ID: 14398
    Date:  11/14/2008
    Time:  8:22:53 AM
    User:  N/A
    Computer: SE
    Description:
    The default outgoing certificate configured for secure transport will expire soon.

    Outgoing Certificate for (Default) edge will expire on Thursday, December 04, 2008 at 1:10:50 PM Local Time. The certificate serial number is attached for reference.

     

    The renewal process is definitely not seamless.  For some reason the option to renew the certificate was not included in the OCS certificate wizard (as compared to IIS, which has this option) so you'll have to generate a new one (if using an internal CA) or use the renewal process from your certificate vendor (if using a public CA).

    Thursday, February 14, 2008 1:32 PM
    Moderator

All replies

  • There is no officially recommended expiration length.  Generally this is 1-2 years.  The key is to monitor for the right event:

     

    Event Type: Warning
    Event Source: OCS Protocol Stack
    Event Category: (1001)
    Event ID: 14398
    Date:  11/14/2008
    Time:  8:22:53 AM
    User:  N/A
    Computer: SE
    Description:
    The default outgoing certificate configured for secure transport will expire soon.

    Outgoing Certificate for (Default) edge will expire on Thursday, December 04, 2008 at 1:10:50 PM Local Time. The certificate serial number is attached for reference.

     

    The renewal process is definitely not seamless.  For some reason the option to renew the certificate was not included in the OCS certificate wizard (as compared to IIS, which has this option) so you'll have to generate a new one (if using an internal CA) or use the renewal process from your certificate vendor (if using a public CA).

    Thursday, February 14, 2008 1:32 PM
    Moderator
  • Thanks Mike

     

    Dhiren

     

    Thursday, February 14, 2008 1:56 PM