hi friend in any win 2008 R2 , at mmc console, at certificates snap-in , in trusted root certification Authorities node , we see that some certificates which has expired still exist there . ( for example Microsoft Authenticode(tm) root Authority whis is valid from 1995 to 2000 ). why they still exist here and microsoft hasn't remove them from this list ? thanks in advance

this is because you didn't read my blog post article (I've pointed you to it in previous forum post): http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/ea7d9e8e-a850-4ff6-897e-4591beb76d3b Again, I'm referencing you to this article: http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=27 And this part: Some time ago (some years) I have asked a question — "for what purposes Windows is shipped with expired root certificates in the Trusted Root CAs container? They are expired and there are no reasons to trust them!". And answer is pretty simple — for timestamped digital signature checking purposes. Timestamped signatures (yep, expired CAs issued authenticode signing certs) can be validated even after all certificate expiration (signing, CA and timestamping certificates).My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

One reason is that that CA has been used historically to issue code signing certificates that still needs to be trusted (although the CA it self has expired) to be able to run/verify old binaries that was digitally signed by that certificate when it was time valid! /Hasain

thanks to all repliers