A certificate has a predefined validity period that comprises a start date and time and an end date and time. An issued certificate's validity period cannot be changed after certificate issuance. Determining the validity period at each tier of the CA hierarchy, including the validity period of the certificates issued to users, computers, services, or network devices, is a primary step when defining a CA hierarchy.
The recommended strategy for determining certificate validity periods is to start with the certificates issued to users, computers, services, or network devices by issuing CAs. The main point to remember is that a CA should not issue a certificate that exceeds the remaining lifetime on the CA certificate. Although allowed by the standards, this scenario can lead to certificates with remaining validity periods to expire when the issuing CA's certificate expires. You should ensure that the CA has enough remaining lifetime on its certificate to issue certificates with the required validity periods. A good rule of thumb is to make the CA certificate validity period at least twice as long as the maximum validity period of any CA-issued certificates. Figure 5-9 shows an example of a two-tier CA hierarchy that issues certificates with a maximum validity period of five years.
In this example, it is known that the maximum validity period for certificates issued by the policy/issuing CA is five years. To ensure that the remaining validity period of the policy/issuing CA does not affect the validity period of the issued certificates, you must double the validity period value of the policy/issuing CA to 10 years.
In addition to doubling the validity period, you can also follow best practices and ensure that the CA renews its CA certificate value at half of the remaining validity period. The first time you renew a CA certificate (after a period of five years in this scenario), you renew with the original key pair. After the next five years pass, you renew the CA certificate with a new key pair. This ensures that the same key pair is never used for a period longer than the intended original validity period of 10 years.
Likewise, the validity period of the root CA certificate should be double the validity period of the policy/issuing CA certificate. In this example, the validity period of the root CA certificate would be 20 years, double the 10-year validity period of the issuing policy CA. As with the policy/issuing CA, it is recommended to renew the root CA certificate at half of its validity period—10 years—by using the same key pair. Again, at the full validity period—20 years—you renew the root CA certificate with a new key pair.
You should not go to extremes with the validity period. The longer a certificate's key pair is valid, the more time an attacker has to try and determine the value of the private key based on public key and examples of the encryption performed by the private key. The risk of determining the private key is even higher if the key length is shorter in length (1024 bits) versus longer in length (4096 bits). Implementing a root CA with a validity period longer than 20 years is not recommended.
Was this article helpful?