We help IT Professionals succeed at work.

How long should i set the validity period for key recovery agent template

marc broers
marc broers asked
On my issuing CA, i'd like to create and publish a key recovery agent template.
How long should i set the validity period for key recovery agent template, what's best practice?
Watch Question

Exec Consultant
Distinguished Expert 2019
As MS has also advised, the validity period cannot be greater than the validity period of the CA's certificate. The minimum renewal period is 80 percent of the certificate lifetime or six weeks, whichever is greater. Do note that the renewal period is for the certificate if re-enrollment is supported for your certificate template. https://technet.microsoft.com/en-us/library/cc725621(v=ws.10).aspx

Overall, do consider balancing the security vs your business priority. The latter carries heavier weight.

a)  If the validity timeline period is operationally tight e.g. shorter to ensure keys are always short and not susceptible (like the case of password policy changes of 90 days as analogy), there can be inconveniences and pre-empted activities by Ops cum IT team to prepare and plan early to ensure business as usual (Server may need update as well as client).

b) If the validity timeline is too long, security can tends to be lower - probably this is for central sub Ent. CA and well guarded against compromise or exposure. But security team may think otherwise. Validity max at 1-2 year can be a "norm" for very security sensitive appl systems but going beyond the period can still be possible, just need to assess the risk and business returns.

Overall, where the business security and OPS turnaround need to be acceptable by all supporting team and concurred by your mgmt. This should include catering sufficient time frame for the Ops cum IT teams to respond practically an unexpected outage or recurrence maintenance lifecycle. Have exercise on renewal SOP to tune the period along the way. It is not a hardcoded period per se as you can control the configuration as the stakeholder