Ask the Expert

When choosing a digital certificate, how important is the expiration period?

How much additional risk will I expose our infrastructure to if we use server certificates with a two-year expiration rather than those with one year?

    Requires Free Membership to View

This is a very good question as I'm sure most people choose the expiration period for their digital certificates based on cost alone. Thawte's Web server certificates, for example, currently cost $199 for one year subscription and $349 for two-year subscription. Cost, however, should not be the principal factor when planning your digital certificate policy. In fact, certificate lifetimes affect the security of your PKI infrastructure. Therefore, even if you issue your own certificates by acting as an enterprise certificate authority, you still need to be aware of longer expiration periods and their effect on security and certificate management.

A digital certificate uses a digital signature to bind a public key with an identity, to verify the name of a person or an organization. The longer a public/private key pair is in use, the greater the chances are that the keys can be compromised. For example, a Trojan horse could compromise the authentication store where the keys are located. To reduce this risk, the private key and public key set should be renewed whenever the certificate is renewed, rather than waiting until the keys reach their maximum lifetimes. When put into practice, certificates with stronger keys -- ones used less frequently and ones less open to potential attack -- could be issued with a two year expiration. Meanwhile, certificates with average key lengths and shorter lifetimes, like those of a Web server, should be renewed once a year.

If you act as your own certificate authority and use, for example, Windows Certificate Services to issue certificates to staff and servers, you will need to carefully plan the lifetime of your root certificate authority certificate. All certificates previously issued by a certificate authority expire when the root certificate of the certificate authority is renewed, regardless of whether or not the key pair is also re-approved. Therefore when a certificate authority certificate is renewed, all certificates that have been issued by that certificate authority must also be renewed. A certificate authority cannot issue certificates with a lifetime that extends beyond the validity period of its own root certificate. This rule is called nested validity or nested expiration. A certificate authority root certificate requires a longer lifetime than just one or two years. And, in fact, it's quite normal for a root certificate to have a lifetime of five years.. This increased lifetime does mean, however, that additional security measures must be taken to ensure the keys are not compromised. Locate servers and secure Web communications in locked data centers in order to minimize the risks of attacks. I would also recommend the use of hardware-based cryptography devices to store private keys. Private keys stored on tamper-resistant hardware are never revealed to the operating system or cached in memory since all cryptography takes place in the crypto-hardware rather than on the computer's hard disk drive.

More information:

  • Learn the weaknesses of a PKI architecture.
  • Find out your public key encryption options for email.
  • This was first published in December 2006

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: