Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 273
  • Last Modified:

Life period for certificates

I created a CA hierarchy. What is a good life period to set for a certificate that set up just for digitally signing documents? I was thinking 2 years?

Thanks for any input on this
1 Solution
If you buy a certificate from Verisign, geotrust.. normal validity period is 2 years. Since you created your own CA, I would set validity for the time you know your going to need the document signing service. Low validity can be a pain, cause you need to issue new certificates when the validity period expires, and expiration dates are easy to forget.
ParanormasticCryptographic EngineerCommented:
You might consider looking into a time stamping solution to use in addtition to the digital signature.  The timestamp can still be used indefinately after the dig sig expires so you don't have to keep re-signing your docs.  There are a number of free time stamping services out there - unless you have a pretty high volume I would suggest one of those.  Setting up your own is not feasible for most due to the very high cost involved.

As stated above, 2 years is pretty normal for the industry, but if you use a 2048 keyset you should be able to pull 5 years just fine, as long as your CA certs are valid for that long.

Note that if you want the signatures to be legally binding you might want to contact a lawyer that specializes in IT stuff in your state/region/whatever.  There may be requirements you need to know about (e.g. having the CA independently audited and writing up a Certificate Practices Statement (CPS) and Certitication Policy (CP) to define how your CA is operated and certificates are issued).  If you are just looking for it to be good for internal use then you probably don't need to worry about all that.
jsprenk55Author Commented:
Thank you for your answers.

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now