CA Validity Periods

IRJ

I am trying to find Microsoft's best practice for validity lengths of CA root and subs. Does anyone know what Microsoft's recommendation is?

dbeato

@IRJ said in CA Validity Periods:

I am trying to find Microsoft's best practice for validity lengths of CA root and subs. Does anyone know what Microsoft's recommendation is?

The default is 5 years, but you can change it to what you want. I mean you want the CA roots to not expire too often. That being said if your environment is setup correctly you will get the certificate to be renewed automatically.

dbeato

But the default 5 years is recommended as you can see below:
https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/install-the-certification-authority

Screenshot link below
AD CA Validity Best Practice

Obsolesce

I'd do what makes sense for your environment.

How often do you want to spin up the Root CA to renew it's cert and the Sub CAs? I set ours for 20 years, and the SubCA for 10 (I think). The RootCA stays turned off until it comes time for renewal of the Sub CAs or Root CA.

Does your company have a policy in place to dictate Root/Sub CA certificate expiracy?

JaredBusch

@Obsolesce said in CA Validity Periods:

I'd do what makes sense for your environment.

How often do you want to spin up the Root CA to renew it's cert and the Sub CAs? I set ours for 20 years, and the SubCA for 10 (I think). The RootCA stays turned off until it comes time for renewal of the Sub CAs or Root CA.

Does your company have a policy in place to dictate Root/Sub CA certificate expiracy?

Ummm, WTF.

CA is a simply role that should really just be added on to some existing server for many places. Who the hell will remember to boot this server every 20 years, run ungodly updates, and then hope it still functions as a CA?

Obsolesce

@JaredBusch said in CA Validity Periods:

@Obsolesce said in CA Validity Periods:

I'd do what makes sense for your environment.

How often do you want to spin up the Root CA to renew it's cert and the Sub CAs? I set ours for 20 years, and the SubCA for 10 (I think). The RootCA stays turned off until it comes time for renewal of the Sub CAs or Root CA.

Does your company have a policy in place to dictate Root/Sub CA certificate expiracy?

Ummm, WTF.

CA is a simply role that should really just be added on to some existing server for many places. Who the hell will remember to boot this server every 20 years, run ungodly updates, and then hope it still functions as a CA?

That's what documentation and training is for. Yes it's simply a role, but it's not something you want online when you have thousands of certs for signatures and encryption stemming from it. Do you think Comodo keeps their root CAs online?

It's kept offline completely, you don't need to update it. It will never see a network connection, ever. It just dishes out a cert every 10ish years, offline. When it's time to update, it's an entirely new CA you migrate.

Obsolesce

I don't see a need to update the Root CA until crypto provider, key length, hash algorithm, whatever... is no longer a valid option for the Root/Sub CAs. Other than that, zero benefit to updating an offline Root CA. So long as the certs created are secure to this day, the Root CA could be an offline shut off Server 2000 for all intents and purposes.

black3dynamite

@Obsolesce So when year 20 comes around, you just redeploy a new RootCA server?

Obsolesce

@black3dynamite said in CA Validity Periods:

@Obsolesce So when year 20 comes around, you just redeploy a new RootCA server?

When your Sub CA cert is near expiration, you'll have to turn on your RootCA to renew that, which will depend on several things, such as how long your regular certs are for. For example, your SubCA cannot issue a 2-year certificate to someone if the SubCA will be expiring sooner than that. So, this means you'll have to turn on your RootCA in at most 8 years, to reissue your SubCA cert, or your SubCA will not be able to issue any 2-year length certificates. Same concept applies for the Root/Sub CA. Your Root CA cannot issue another 10-year certificate to the SubCA if the RootCA certificate will be expiring sooner than 10 years.

So it's not as it seems up front. It's important to have it documented well, and others aware of it.

Obsolesce

@black3dynamite said in CA Validity Periods:

@Obsolesce So when year 20 comes around, you just redeploy a new RootCA server?

Oh, to specifically answer your question. You don't need to redeploy the RootCA unless there's a reason to.

If you turn on the offline RootCA 8 years later to renew your SubCA cert, where's the issue? So long as you can reissue the cert and the cert still meets all security requirements, issue the cert, or renew yoru RootCA cert first then reissue the SubCA cert, then turn it off again for 8 more years and re-evaluate then. It's offline, and turned off... literally zero changes, it should come back upjust fine in theory.

If you have it turned on and networked for 8-20 years or whatever, i'm sure it's more likely to fuck up than if it's turned off.

black3dynamite

@Obsolesce said in CA Validity Periods:

@black3dynamite said in CA Validity Periods:

@Obsolesce So when year 20 comes around, you just redeploy a new RootCA server?

Oh, to specifically answer your question. You don't need to redeploy the RootCA unless there's a reason to.

If you turn on the offline RootCA 8 years later to renew your SubCA cert, where's the issue? So long as you can reissue the cert and the cert still meets all security requirements, issue the cert, or renew yoru RootCA cert first then reissue the SubCA cert, then turn it off again for 8 more years and re-evaluate then. It's offline, and turned off... literally zero changes, it should come back upjust fine in theory.

If you have it turned on and networked for 8-20 years or whatever, i'm sure it's more likely to fuck up than if it's turned off.

Wouldn’t it be wise to keep OpenSSL/LibreSSL updated at least?

Obsolesce

@black3dynamite said in CA Validity Periods:

@Obsolesce said in CA Validity Periods:

@black3dynamite said in CA Validity Periods:

@Obsolesce So when year 20 comes around, you just redeploy a new RootCA server?

Oh, to specifically answer your question. You don't need to redeploy the RootCA unless there's a reason to.

If you turn on the offline RootCA 8 years later to renew your SubCA cert, where's the issue? So long as you can reissue the cert and the cert still meets all security requirements, issue the cert, or renew yoru RootCA cert first then reissue the SubCA cert, then turn it off again for 8 more years and re-evaluate then. It's offline, and turned off... literally zero changes, it should come back upjust fine in theory.

If you have it turned on and networked for 8-20 years or whatever, i'm sure it's more likely to fuck up than if it's turned off.

Wouldn’t it be wise to keep OpenSSL/LibreSSL updated at least?

How's that going to effect the certificate your SubCA or RootCA needs? You're bringing up the RootCA to create a certificate, that's it.

black3dynamite

@Obsolesce said in CA Validity Periods:

@black3dynamite said in CA Validity Periods:

@Obsolesce said in CA Validity Periods:

@black3dynamite said in CA Validity Periods:

@Obsolesce So when year 20 comes around, you just redeploy a new RootCA server?

Oh, to specifically answer your question. You don't need to redeploy the RootCA unless there's a reason to.

If you turn on the offline RootCA 8 years later to renew your SubCA cert, where's the issue? So long as you can reissue the cert and the cert still meets all security requirements, issue the cert, or renew yoru RootCA cert first then reissue the SubCA cert, then turn it off again for 8 more years and re-evaluate then. It's offline, and turned off... literally zero changes, it should come back upjust fine in theory.

If you have it turned on and networked for 8-20 years or whatever, i'm sure it's more likely to fuck up than if it's turned off.

Wouldn’t it be wise to keep OpenSSL/LibreSSL updated at least?

How's that going to effect the certificate your SubCA or RootCA needs? You're bringing up the RootCA to create a certificate, that's it.

What happens if browsers like Firefox, Edge or Chrome in end up requiring certain new encryptions or cryptography like one of the elliptic curve types. And because the RootCA server has been offline for so long, that it has an older SSL version, now you will have to get the server updated either offline or online.

Obsolesce

@black3dynamite said in CA Validity Periods:

@Obsolesce said in CA Validity Periods:

@black3dynamite said in CA Validity Periods:

@Obsolesce said in CA Validity Periods:

@black3dynamite said in CA Validity Periods:

@Obsolesce So when year 20 comes around, you just redeploy a new RootCA server?

Oh, to specifically answer your question. You don't need to redeploy the RootCA unless there's a reason to.

If you turn on the offline RootCA 8 years later to renew your SubCA cert, where's the issue? So long as you can reissue the cert and the cert still meets all security requirements, issue the cert, or renew yoru RootCA cert first then reissue the SubCA cert, then turn it off again for 8 more years and re-evaluate then. It's offline, and turned off... literally zero changes, it should come back upjust fine in theory.

If you have it turned on and networked for 8-20 years or whatever, i'm sure it's more likely to fuck up than if it's turned off.

Wouldn’t it be wise to keep OpenSSL/LibreSSL updated at least?

How's that going to effect the certificate your SubCA or RootCA needs? You're bringing up the RootCA to create a certificate, that's it.

What happens if browsers like Firefox, Edge or Chrome in end up requiring certain new encryptions or cryptography like one of the elliptic curve types. And because the RootCA server has been offline for so long, that it has an older SSL version, now you will have to get the server updated either offline or online.

That has to do with the certificate issued to the web server, not the root/sub certificates.

Obsolesce

@Obsolesce said in CA Validity Periods:

@black3dynamite said in CA Validity Periods:

@Obsolesce said in CA Validity Periods:

@black3dynamite said in CA Validity Periods:

@Obsolesce said in CA Validity Periods:

@black3dynamite said in CA Validity Periods:

@Obsolesce So when year 20 comes around, you just redeploy a new RootCA server?

Oh, to specifically answer your question. You don't need to redeploy the RootCA unless there's a reason to.

If you turn on the offline RootCA 8 years later to renew your SubCA cert, where's the issue? So long as you can reissue the cert and the cert still meets all security requirements, issue the cert, or renew yoru RootCA cert first then reissue the SubCA cert, then turn it off again for 8 more years and re-evaluate then. It's offline, and turned off... literally zero changes, it should come back upjust fine in theory.

If you have it turned on and networked for 8-20 years or whatever, i'm sure it's more likely to fuck up than if it's turned off.

Wouldn’t it be wise to keep OpenSSL/LibreSSL updated at least?

How's that going to effect the certificate your SubCA or RootCA needs? You're bringing up the RootCA to create a certificate, that's it.

What happens if browsers like Firefox, Edge or Chrome in end up requiring certain new encryptions or cryptography like one of the elliptic curve types. And because the RootCA server has been offline for so long, that it has an older SSL version, now you will have to get the server updated either offline or online.

That has to do with the certificate issued to the web server, not the root/sub certificates.

What you choose on the Microsoft RootCA is a good CSP. The RSA MSKSP should be fine for a super long time: https://docs.microsoft.com/en-us/windows/desktop/SecCertEnroll/cryptoapi-cryptographic-service-providers

IRJ

@Obsolesce , yes CA being offline or at least pulling the private key off is pretty common.

Obsolesce

And obviously, if something drastically changes, then in any case whatsoever, you'd have update the root cert regardless. You can't simply change a root cert even if it's 100% online and updating. You'd still have to change the root cert and redeploy all certs.

IRJ

@Obsolesce said in CA Validity Periods:

And obviously, if something drastically changes, then in any case whatsoever, you'd have update the root cert regardless. You can't simply change a root cert even if it's 100% online and updating. You'd still have to change the root cert and redeploy all certs.

This is a decent quick overview of when to use existing key pair vs new key pair when re-issuing CA certs.

https://social.technet.microsoft.com/wiki/contents/articles/2016.root-ca-certificate-renewal.aspx

Obsolesce

@IRJ said in CA Validity Periods:

@Obsolesce said in CA Validity Periods:

And obviously, if something drastically changes, then in any case whatsoever, you'd have update the root cert regardless. You can't simply change a root cert even if it's 100% online and updating. You'd still have to change the root cert and redeploy all certs.

This is a decent quick overview of when to use existing key pair vs new key pair when re-issuing CA certs.

https://social.technet.microsoft.com/wiki/contents/articles/2016.root-ca-certificate-renewal.aspx

Right, but that's a different and separate topic.

scottalanmiller

Was this answered or is an answer still needed?