Configuration settings on the Advanced tab of the System Configuration page determine whether a certificate approval is effective in determining the state of a file signed by that certificate.

See Determining Which Certificates Can Approve Files for details about these configuration options.

Certificates can be approved and banned themselves, and they also can be used to approve or ban a publisher by name. Use the following information when setting or viewing Certificate Options on the Advanced Options page:

  • You can approve a certificate that does not meet these configuration requirements, and the certificate itself will show a Certificate State of Approved. However, the Certificate Global State (the effective state) of such a certificate cannot be Approved.
  • Certificate Options choices have no effect on cosigner certificates.
  • Certificate Options choices do not prevent any certificate from being banned, or prevent the value of Certificate Global State from being Banned. See Certificate Global State for more information.
  • The Expired Certificates option on the System Configuration/Advanced Options tab does not affect the ability to globally approve a certificate. The option determines whether an expired certificate can be used to approve a file by publisher. If the box is checked, and if a file has a certificate that has expired but was used to sign the file during the valid period, the certificate may be used for approval by publisher. If the box is not checked, expired certificates may not be used to approve files by publisher. This setting does not affect Certificate Global State.