By default, Carbon Black App Control allows the use of expired certificates whose verifiable timestamp is within the certificate validity period to approve files by publisher.

If the timestamp is missing, invalid, or is not within the certificate validity period, then the software cannot be approved by publisher.

You can disable approval by expired certificates that would otherwise be trusted by Carbon Black App Control. This provides extra security, but can prevent approval of legitimate files whose valid certificate is now out of date.

When you disable Allow approval of software with expired certificates, all publishers are re-evaluated. However, if a file was locally approved by a publisher with an expired certificate when this was allowed, it remains locally approved when the setting is disabled.

The Expired Certificates setting has no effect on bans of publishers. Therefore, you can ban files by publisher even if they have an invalid signature or an expired certificate.

Caution: It is especially important to set the expired certificate option before generating installation packages for agents that will be primarily or permanently disconnected from the server. This ensures that disconnected agents handle expired certificates appropriately.