certificate with expiration date

[kehli4713]

Hi, thanks your work in the great plugin. We want to secure the keepass-database with Active-Directory certificates. Its al workink well. But, they are valid for 2 years. what happens, when the certificate is expired and did not do anything? THANKS

[FrantisekBodnar]

Hi I'm glad that you use my plugin and you are happy with it. :)

The problem would be that if Private key of the certificate will change, you would not be able to open the database. It works like "hidden second Master Password" that is generated from that private key alongside with your Master Password. It is same as you would forget the Master Password, then you would not be able to open any DB.

If the certificate is just expired, and not deleted, you should be able to unlock a DB. I don't restrict the list of certificates that you can select base on expiration date. Only restriction is that you can't select certificate without private key.

What I can do is to add a reminder if you open the DB that the certificate will expire. If you have any other suggestions, just let me know. :)

When you open DB with expired certificate, you can than select the new one and save DB.

Best Franky

[Peter0x48]

Hi Franky,

what do you think about adding a recovery mode? I think one way of implementation would be to display the content of the RSA signature as a hex string during setup and then adding a recover button to the prompt during the unlock phase.

Thanks, Peter

[FrantisekBodnar]

I see your point, but I also see it as potential security risk, that someone can access your DB without the Smart Card. Point of the Smart Card is that anyone can't access those information, so it can't be somehow stolen or misused.