CA Validity Periods

Obsolesce

I don't see a need to update the Root CA until crypto provider, key length, hash algorithm, whatever... is no longer a valid option for the Root/Sub CAs. Other than that, zero benefit to updating an offline Root CA. So long as the certs created are secure to this day, the Root CA could be an offline shut off Server 2000 for all intents and purposes.

black3dynamite

@Obsolesce So when year 20 comes around, you just redeploy a new RootCA server?

Obsolesce

@black3dynamite said in CA Validity Periods:

@Obsolesce So when year 20 comes around, you just redeploy a new RootCA server?

When your Sub CA cert is near expiration, you'll have to turn on your RootCA to renew that, which will depend on several things, such as how long your regular certs are for. For example, your SubCA cannot issue a 2-year certificate to someone if the SubCA will be expiring sooner than that. So, this means you'll have to turn on your RootCA in at most 8 years, to reissue your SubCA cert, or your SubCA will not be able to issue any 2-year length certificates. Same concept applies for the Root/Sub CA. Your Root CA cannot issue another 10-year certificate to the SubCA if the RootCA certificate will be expiring sooner than 10 years.

So it's not as it seems up front. It's important to have it documented well, and others aware of it.

Obsolesce

@black3dynamite said in CA Validity Periods:

@Obsolesce So when year 20 comes around, you just redeploy a new RootCA server?

Oh, to specifically answer your question. You don't need to redeploy the RootCA unless there's a reason to.

If you turn on the offline RootCA 8 years later to renew your SubCA cert, where's the issue? So long as you can reissue the cert and the cert still meets all security requirements, issue the cert, or renew yoru RootCA cert first then reissue the SubCA cert, then turn it off again for 8 more years and re-evaluate then. It's offline, and turned off... literally zero changes, it should come back upjust fine in theory.

If you have it turned on and networked for 8-20 years or whatever, i'm sure it's more likely to fuck up than if it's turned off.

black3dynamite

@Obsolesce said in CA Validity Periods:

@black3dynamite said in CA Validity Periods:

@Obsolesce So when year 20 comes around, you just redeploy a new RootCA server?

Oh, to specifically answer your question. You don't need to redeploy the RootCA unless there's a reason to.

If you turn on the offline RootCA 8 years later to renew your SubCA cert, where's the issue? So long as you can reissue the cert and the cert still meets all security requirements, issue the cert, or renew yoru RootCA cert first then reissue the SubCA cert, then turn it off again for 8 more years and re-evaluate then. It's offline, and turned off... literally zero changes, it should come back upjust fine in theory.

If you have it turned on and networked for 8-20 years or whatever, i'm sure it's more likely to fuck up than if it's turned off.

Wouldn’t it be wise to keep OpenSSL/LibreSSL updated at least?

Obsolesce

@black3dynamite said in CA Validity Periods:

@Obsolesce said in CA Validity Periods:

@black3dynamite said in CA Validity Periods:

@Obsolesce So when year 20 comes around, you just redeploy a new RootCA server?

Oh, to specifically answer your question. You don't need to redeploy the RootCA unless there's a reason to.

If you turn on the offline RootCA 8 years later to renew your SubCA cert, where's the issue? So long as you can reissue the cert and the cert still meets all security requirements, issue the cert, or renew yoru RootCA cert first then reissue the SubCA cert, then turn it off again for 8 more years and re-evaluate then. It's offline, and turned off... literally zero changes, it should come back upjust fine in theory.

If you have it turned on and networked for 8-20 years or whatever, i'm sure it's more likely to fuck up than if it's turned off.

Wouldn’t it be wise to keep OpenSSL/LibreSSL updated at least?

How's that going to effect the certificate your SubCA or RootCA needs? You're bringing up the RootCA to create a certificate, that's it.

black3dynamite

@Obsolesce said in CA Validity Periods:

@black3dynamite said in CA Validity Periods:

@Obsolesce said in CA Validity Periods:

@black3dynamite said in CA Validity Periods:

@Obsolesce So when year 20 comes around, you just redeploy a new RootCA server?

Oh, to specifically answer your question. You don't need to redeploy the RootCA unless there's a reason to.

If you turn on the offline RootCA 8 years later to renew your SubCA cert, where's the issue? So long as you can reissue the cert and the cert still meets all security requirements, issue the cert, or renew yoru RootCA cert first then reissue the SubCA cert, then turn it off again for 8 more years and re-evaluate then. It's offline, and turned off... literally zero changes, it should come back upjust fine in theory.

If you have it turned on and networked for 8-20 years or whatever, i'm sure it's more likely to fuck up than if it's turned off.

Wouldn’t it be wise to keep OpenSSL/LibreSSL updated at least?

How's that going to effect the certificate your SubCA or RootCA needs? You're bringing up the RootCA to create a certificate, that's it.

What happens if browsers like Firefox, Edge or Chrome in end up requiring certain new encryptions or cryptography like one of the elliptic curve types. And because the RootCA server has been offline for so long, that it has an older SSL version, now you will have to get the server updated either offline or online.

Obsolesce

@black3dynamite said in CA Validity Periods:

@Obsolesce said in CA Validity Periods:

@black3dynamite said in CA Validity Periods:

@Obsolesce said in CA Validity Periods:

@black3dynamite said in CA Validity Periods:

@Obsolesce So when year 20 comes around, you just redeploy a new RootCA server?

Oh, to specifically answer your question. You don't need to redeploy the RootCA unless there's a reason to.

If you turn on the offline RootCA 8 years later to renew your SubCA cert, where's the issue? So long as you can reissue the cert and the cert still meets all security requirements, issue the cert, or renew yoru RootCA cert first then reissue the SubCA cert, then turn it off again for 8 more years and re-evaluate then. It's offline, and turned off... literally zero changes, it should come back upjust fine in theory.

If you have it turned on and networked for 8-20 years or whatever, i'm sure it's more likely to fuck up than if it's turned off.

Wouldn’t it be wise to keep OpenSSL/LibreSSL updated at least?

How's that going to effect the certificate your SubCA or RootCA needs? You're bringing up the RootCA to create a certificate, that's it.

What happens if browsers like Firefox, Edge or Chrome in end up requiring certain new encryptions or cryptography like one of the elliptic curve types. And because the RootCA server has been offline for so long, that it has an older SSL version, now you will have to get the server updated either offline or online.

That has to do with the certificate issued to the web server, not the root/sub certificates.

Obsolesce

@Obsolesce said in CA Validity Periods:

@black3dynamite said in CA Validity Periods:

@Obsolesce said in CA Validity Periods:

@black3dynamite said in CA Validity Periods:

@Obsolesce said in CA Validity Periods:

@black3dynamite said in CA Validity Periods:

@Obsolesce So when year 20 comes around, you just redeploy a new RootCA server?

Oh, to specifically answer your question. You don't need to redeploy the RootCA unless there's a reason to.

If you turn on the offline RootCA 8 years later to renew your SubCA cert, where's the issue? So long as you can reissue the cert and the cert still meets all security requirements, issue the cert, or renew yoru RootCA cert first then reissue the SubCA cert, then turn it off again for 8 more years and re-evaluate then. It's offline, and turned off... literally zero changes, it should come back upjust fine in theory.

If you have it turned on and networked for 8-20 years or whatever, i'm sure it's more likely to fuck up than if it's turned off.

Wouldn’t it be wise to keep OpenSSL/LibreSSL updated at least?

How's that going to effect the certificate your SubCA or RootCA needs? You're bringing up the RootCA to create a certificate, that's it.

What happens if browsers like Firefox, Edge or Chrome in end up requiring certain new encryptions or cryptography like one of the elliptic curve types. And because the RootCA server has been offline for so long, that it has an older SSL version, now you will have to get the server updated either offline or online.

That has to do with the certificate issued to the web server, not the root/sub certificates.

What you choose on the Microsoft RootCA is a good CSP. The RSA MSKSP should be fine for a super long time: https://docs.microsoft.com/en-us/windows/desktop/SecCertEnroll/cryptoapi-cryptographic-service-providers

IRJ

@Obsolesce , yes CA being offline or at least pulling the private key off is pretty common.

Obsolesce

And obviously, if something drastically changes, then in any case whatsoever, you'd have update the root cert regardless. You can't simply change a root cert even if it's 100% online and updating. You'd still have to change the root cert and redeploy all certs.

IRJ

@Obsolesce said in CA Validity Periods:

And obviously, if something drastically changes, then in any case whatsoever, you'd have update the root cert regardless. You can't simply change a root cert even if it's 100% online and updating. You'd still have to change the root cert and redeploy all certs.

This is a decent quick overview of when to use existing key pair vs new key pair when re-issuing CA certs.

https://social.technet.microsoft.com/wiki/contents/articles/2016.root-ca-certificate-renewal.aspx

Obsolesce

@IRJ said in CA Validity Periods:

@Obsolesce said in CA Validity Periods:

And obviously, if something drastically changes, then in any case whatsoever, you'd have update the root cert regardless. You can't simply change a root cert even if it's 100% online and updating. You'd still have to change the root cert and redeploy all certs.

This is a decent quick overview of when to use existing key pair vs new key pair when re-issuing CA certs.

https://social.technet.microsoft.com/wiki/contents/articles/2016.root-ca-certificate-renewal.aspx

Right, but that's a different and separate topic.

scottalanmiller

Was this answered or is an answer still needed?