Each root, intermediate, server, and code-signing certificate remains valid for a specific period of time (Valid From and Valid To dates). When a certificate expires, system users receive error messages.
Ensuring continued secure system access requires advance planning. There is no certificate renewal process. For each expiring
certificate, you must create a new, replacement certificate, get it signed, import it into the User Key Store, and ensure that the root CA certificate used to sign it is in each station’s User Trust Store. If your company uses a third-party CA, the whole process can take a couple of weeks. As a best practice, keep track of each
certificate expiration date, and plan ahead to replace old certificates before they expire.
The code-signing certificate provides an exception to this rule. As long as your code-signing certificate is time-stamped,
you may continue to use it even after it expires.
Additional details
- FOXS connections between stations that are using Allowed Hosts exemptions will still connect even when a certificate has expired.
- FOXS connections between stations not using Allowed Hosts exemptions will fail to reconnect. Certificates must be reissued
for successful connections.
- Browser connections will start showing messages that the certificate is no longer trusted, but will still connect.
-
Workbench will connect even though a certificate has expired.
NOTE: Using Allowed Hosts exemptions is not as secure as using signed certificates without exemptions. The use of signed certificates
means that each certificate will need to be re-issued before they expire to avoid connection problems. It is important to
note that using signed certificates without exemptions provides a much more secure environment.