In accordance with the German Signature Act, a qualified certificate does not become invalid if a higher-level root or CA certificate expires. This type of check of the validity of qualified certificates is known as the “chain model”. In the event of a validity check according to the chain model, it is essential that the next certificate up is or was valid at the time of creation of the signature / certificate. Therefore, it is also permitted that the period of validity of a qualified certificate goes beyond the validity period of the corresponding CA certificate. However, MS Windows checks the certificates using the shell model, which unlike the chain model, requires all certificates of the certification path to be valid at the time of checking. Thus, in the abovementioned case, MS Windows provides a false status for a qualified certificate.


We recommend that you do not use qualified signatures in e-mails. As a rule, you are then also signing content that is not visible to you. For this reason, we do not offer a corresponding plug-in for e-mail programs. From a security perspective, we recommend that instead of a signed e-mail, you send a signed file which can be attached to an e-mail.