From an answer to the question "What happens when a code signing certificate expires?", I found out that there is the WTD_LIFETIME_SIGNING_FLAG which could imply unintended behavior of signed executables.
When the certificate is installed I can use the following procedure to check for the flag:
- open Internet Explorer (the following refers to version 11)
- go to Tools/Internet Options
- go to the "Content" tab
- click "Certificates"
- select the certificate and choose "Advanced"
- scroll down until you find the "Lifetime signing" checkbox
I'd like to find out about this flag in PFX files without importing them to my certificate store (which would mean trusting them).
I tried certutil -dump <pfx>, but that doesn't list the flags at all. Next, I used certutil -dump -v <pfx> which lists Code Signing (1.3.6.1.5.5.7.3.3), but not Lifetime signing (for a certificate that had the checkbox checked in IE).
It seems the described procedure in Internet Explorer is just a setting for Internet Explorer, not the actual flags of the certificate. You can check or uncheck the properties under "Advanced", which is certainly not possible for the real properties of the certificate. However, I didn't find a place where those settings would take effect.
Instead of the "Advanced" button, click "View" and then
The only property there is "Code Signing (1.3.6.1.5.5.7.3.3)" and that matches the output of
certutil -dump -v.