What happens when a code signing certificate expires?
If you timestamp your code while the certificate is valid the effect is that your expired certificates are good.
From Thawte Code Signing Certificate FAQs:
How long can I use a Code Signing Certificate for?
- Code Signing Certificates are valid for 1 or 2 years depending on which life cycle you choose when you purchase the certificate. Please note: For Microsoft® Authenticode® (Multi-Purpose), you should also timestamp your signed code to avoid your code expiring when your certificate expires.
Is timestamped code valid after a Code Signing Certificate expires?
- Microsoft® Authenticode® (Multi-Purpose) allows you to timestamp your signed code. Timestamping ensures that code will not expire when the certificate expires because the browser validates the timestamp. The timestamping service is provided courtesy of VeriSign. If you use the timestamping service when signing code, a hash of your code is sent to VeriSign’s server to record a timestamp for your code. A user’s software can distinguish between code signed with an expired certificate that should not be trusted and code that was signed with a Certificate that was valid at the time the code was signed but which has subsequently expired.
Watch out for certificates with WTD_LIFETIME_SIGNING_FLAG set: It means (despite what you mind assume from the name) that a program signed with the certificate is invalid after the certificate expires, even though the program hasn’t changed, and the certificate was valid when it was signed.
This also affects updates, in that even if the customer checks the box to trust all programs from your company, if your update program isn't signed with the same cert (or that cert expires) then the trust fails.
From: http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx
Timestamp Processing with Lifetime Signing Semantics
Applications or certification authorities that do not want timestamped signatures to verify successfully for an indefinite period of time have two options:
• Set the lifetime signer OID in the publisher’s signing certificate.
If the publisher’s signing certificate contains the lifetime signer OID in addition to the PKIX code signing OID, the signature becomes invalid when the publisher’s signing certificate expires, even if the signature is timestamped. The lifetime signer OID is defined as follows:
szOID_KP_LIFETIME_SIGNING 1.3.6.1.4.1.311.10.3.13
• Set the WTD_LIFETIME_SIGNING_FLAG in the WINTRUST_DATA structure when calling WinVerifyTrust.
If a WinVerifyTrust caller sets WTD_LIFETIME_SIGNING_FLAG in the WINTRUST_DATA structure and the publisher’s signing certificate has expired, WinVerifyTrust reports the signature as invalid even if the signature is timestamped.
If a publisher revokes a code signing certificate that contains the lifetime signer OID or a WinVerifyTrust caller sets WTD_LIFETIME_SIGNING_FLAG in the WINTRUST_DATA structure, WinVerifyTrust reports the signature as valid if both of the following conditions are met:
• The signature was timestamped before the revocation date.
• The signing certificate is still within its validity period. After the validity period expires, the signature becomes invalid.
For Example: https://forum.startcom.org/viewtopic.php?f=15&t=2215&p=6827&hilit=lifetime+signing#p6827
That is a serious problem with StartSSL certificates. It doesn't surprise me that there are limitations in a certificate that cost so little, but burying this limitation in the fine print or in an old forum post instead of making it clear in the product description is poor business. They may fix it in the future, and others may or may not have the same limitation so an email to check before you spend might be wise.
Guess who didn't know to ask? LOL... oh well, live and learn.