What happens to encrypted mails when CA certificate expires in my Windows Domain

does anybody know what will happen to encrypted /signed mails when a root authority certificate expires in my domain network? Can the certificate still be validated from the clients and will the clients recognize that the certificate was valid when the mail was encrypted / signed?

Respectively what will happen when a migration to a new infrastructure will take place or if I install a new root-CA? Is there a need to also migrate the expired root certificate?


I can only speak for behavior in Outlook, but ... an expired certificate will give a warning when a user opens their e-mail saying it is untrusted. They can view the expired certificate and decide if they want to continue and read the e-mail.

It's like an expired ID card. I know it used to be you, but you could have changed your name or shaved your head or something ... so you need a new ID before I can validate your identity.

Regarding the migration ...

Certificate Authority Trust Model

"An expired CA certificate in the certification path does not invalidate the path. In the Windows 2000 public key infrastructure, a certification path can be valid as long as the CA certificate was valid at the time the certificate was issued. " So yes. You should probably keep the expired root cert.