When choosing a digital certificate, how important is the expiration period?

BROWSE BY TAG Application Security,   PKI and Digital Certificates,   Enterprise Identity and Access Management,   User Authentication Services,   Enterprise Data Protection,   Disk Encryption and File Encryption,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Security Do Facebook URL security concerns justify blocking social networks? Is there a way to block iPhone widgets that bypass Web filters? Should enterprises be concerned with Twitter in the workplace? Are there still Google Desktop security problems? Can an IP spoofing tool be used to spam SPF servers? Will an application usage policy best control network bandwidth? How can URL-shortening services be manipulated? Is my security program ready for Web application firewall deployment? How to ensure the security of a shopping cart application When to use the service features of the Metasploit hacking tool PKI and Digital Certificates Best Authentication Products DoD urges less network anonymity, more PKI use Researchers to demonstrate new EV SSL man-in-the-middle hacks Portable security storage device could replace OTP devices What is most misunderstood about EV SSL certificates? VeriSign addresses MD5 flaw Rogue digital certificates strike blow to Internet security Can any firm or organization get a digital signature certificate? How to obtain a digital certificate for a server PKI and digital certificates: Security, authentication and implementation PKI and Digital Certificates Research Disk Encryption and File Encryption Health Net healthcare data breach affects1.5 million Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Should developers create libraries of common cryptographic algorithms? What is an encryption collision? Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection Voltage, RSA spar over tokenization, data protection Truth, lies and fiction about encryption What are new and commonly used public-key cryptography algorithms?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary authentication server  (SearchSecurity.com) Certificate Revocation List  (SearchSecurity.com) Digital Signature Standard  (SearchSecurity.com) HDCP  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com) nonrepudiation  (SearchSecurity.com) PKI  (SearchSecurity.com) public key  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

This is a very good question as I'm sure most people choose the expiration period for their digital certificates based on cost alone. Thawte's Web server certificates, for example, currently cost $199 for one year subscription and $349 for two-year subscription. Cost, however, should not be the principal factor when planning your digital certificate policy. In fact, certificate lifetimes affect the security of your PKI infrastructure. Therefore, even if you issue your own certificates by acting as an enterprise certificate authority, you still need to be aware of longer expiration periods and their effect on security and certificate management.

A digital certificate uses a digital signature to bind a public key with an identity, to verify the name of a person or an organization. The longer a public/private key pair is in use, the greater the chances are that the keys can be compromised. For example, a Trojan horse could compromise the authentication store where the keys are located. To reduce this risk, the private key and public key set should be renewed whenever the certificate is renewed, rather than waiting until the keys reach their maximum lifetimes. When put into practice, certificates with stronger keys -- ones used less frequently and ones less open to potential attack -- could be issued with a two year expiration. Meanwhile, certificates with average key lengths and shorter lifetimes, like those of a Web server, should be renewed once a year.

If you act as your own certificate authority and use, for example, Windows Certificate Services to issue certificates to staff and servers, you will need to carefully plan the lifetime of your root certificate authority certificate. All certificates previously issued by a certificate authority expire when the root certificate of the certificate authority is renewed, regardless of whether or not the key pair is also re-approved. Therefore when a certificate authority certificate is renewed, all certificates that have been issued by that certificate authority must also be renewed. A certificate authority cannot issue certificates with a lifetime that extends beyond the validity period of its own root certificate. This rule is called nested validity or nested expiration. A certificate authority root certificate requires a longer lifetime than just one or two years. And, in fact, it's quite normal for a root certificate to have a lifetime of five years.. This increased lifetime does mean, however, that additional security measures must be taken to ensure the keys are not compromised. Locate servers and secure Web communications in locked data centers in order to minimize the risks of attacks. I would also recommend the use of hardware-based cryptography devices to store private keys. Private keys stored on tamper-resistant hardware are never revealed to the operating system or cached in memory since all cryptography takes place in the crypto-hardware rather than on the computer's hard disk drive.

More information: