reference Nist SP 800 series or the CA/browser committee
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/
https://cabforum.org/
Yes, threes years is all that we get , and that does not cover all certificates types.
This is why no CA will sign CSRs for more than 3 years { 1095 days }, so if you need a ssl certificate , that's certificate would need a life expectancy of 1095 or less days.
Also you will never find a CA who will not sign a sub-key longer than it's own key
( this should be obvious )
You will find that some CA follow the 39month max lifetime and most EV certificates are issued at a max of 1 or 2 years depending on their policies. And yes it's all about the money ;)
The CA and intermediates could have lifetimes of between 10-30 years in life-time.
So if you want a certificate signed longer, you need your own private-CA .
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment