Thursday, February 16, 2017

private-key lifetime reccommendations

For SSL certificate, the MAX life-time   that's recommend by  NIST is for 3years

reference Nist SP 800 series or  the CA/browser committee

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ 

https://cabforum.org/


Yes, threes years is all that we get , and that does not cover all certificates types.

This is why no  CA will sign CSRs for more than 3 years { 1095 days }, so if you need a ssl certificate ,  that's certificate would need  a life expectancy of 1095 or less days.


Also you will never find a CA  who will not sign a sub-key longer than it's own key
( this should be obvious  )

You will find that some CA follow the 39month  max lifetime and most EV certificates are issued at a max of 1 or 2 years depending on their policies. And yes it's all about the money ;)

The CA and intermediates could have lifetimes of between 10-30 years in life-time.

 So if you want a certificate signed longer, you need your own private-CA .



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

No comments:

Post a Comment