Share via

This certificate has expired or is not yet valid!!!!.

Lucas Peñaloza 341 Reputation points
2026-03-10T17:04:48.0333333+00:00

Dear,

     We have a certificate that shows:

User's image

In Personal/Certificates;

User's image

The certificates appear as if they are not expired.

How to proceed in these cases?

Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
0 comments
Answer accepted by question author
  1. VPHAN 25,000 Reputation points Independent Advisor
    2026-03-10T17:46:33.89+00:00

    Hi Lucas Peñaloza,

    Seeing a certificate flagged as expired when its listed validity dates show it is still within its active lifecycle is a common scenario in Windows environments. The discrepancy occurs because the general directory view in the Certificates manager simply displays the static text fields of the certificate, while opening the certificate properties actively triggers the Windows Cryptography API to evaluate the entire chain of trust. The specific error message you are seeing usually means that while your individual end-entity certificate is temporally valid, one of the parent certificates in the hierarchy has exceeded its own validity period or is not yet valid.

    To confirm exactly which part of the chain is failing, you should inspect the trust hierarchy directly by switching to the Certification Path tab within that same certificate properties window. This view maps out the cryptographic relationship between your local certificate, the intermediate authority, and the ultimate Root CA. You will typically find a red error icon on the specific parent authority that has expired or is causing the trust validation failure.

    Resolving this issue requires addressing the problematic parent authority rather than the leaf certificate itself. The administrators responsible for your internal PKI environment must renew the expired Intermediate or Root CA certificate and distribute the updated public certificate to all client and server machines. In an Active Directory environment, this is standardly handled by deploying the new certificate via Group Policy to the Trusted Root or Intermediate Certification Authorities stores. If the certification path unexpectedly appears entirely healthy with no red icons, you should verify that the local operating system clock is accurate, as a severely desynchronized local system clock skewed outside the certificate's validity window can also trigger this exact active evaluation failure.

    Hope this answer brought you some useful information. If it did, please hit "accept answer". Should you have any questions, feel free to leave a comment.

    VP

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-10T17:05:05.5233333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The message “This certificate has expired or is not yet valid” appears when the system time or the certificate chain doesn’t match the validity period, even if the leaf certificate itself shows a valid “Valid from … to …” range.

    For this situation, use these checks and corrective actions:

    1. Verify system date and time
      • On the server and on any client that shows the error, confirm that date, time, and time zone are correct.
      • If they are wrong (for example, ahead of 2026 or before 2024 in the screenshot), correct them and retry the connection.
    2. Check the full certificate chain
      • In the certificate dialog, select the Certification Path tab.
      • Confirm that all certificates in the chain (leaf, issuing CA, and root CA) are valid (no red X or warning icons).
      • If any CA certificate in the chain is expired or not yet valid, replace or renew that CA certificate and redeploy the updated chain to the server and clients.
    3. Confirm that the correct certificate is being used
      • In the Personal store there may be multiple certificates for the same subject name with different validity periods.
      • Ensure that the service (IIS site, LDAPS, RDP, etc.) is bound to the currently valid certificate, not to an older one.
      • Update the binding to the newer certificate and restart the service if required.
    4. Ensure revocation information is available
      • If the issuing CA’s CRL or OCSP responder is unreachable, some components may treat the certificate as invalid.
      • Make sure CRL/OCSP URLs in the certificate are reachable from the client and server, and that CRLs are not expired.
    5. Renew or replace expired certificates
      • If any certificate in the chain is actually expired, renew or replace it and redeploy the new certificate chain.
      • For services like AD FS, Exchange, SharePoint, or Azure-based workloads, follow the product-specific renewal guidance and then update the service configuration so it uses the new certificate.

    After these steps, the certificate dialog should no longer show the “expired or not yet valid” message, and clients should connect without certificate validity errors.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.