Why Root CA Cert does not have expiration date?

eemoon
eemoon used Ask the Experts™
on
Hi As we know the below is a chain. The last two elements have expiration date. and need to update. But I have not heard the first one Root CA Cert need to update. Why is that? Thank you

Root CA Cert > Intermediate CA Cert (bundle of Sub CA) > Server SSL cert
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Systems Infrastructure Engineer
Commented:
If they are certificates using the standard X.509 the CA normally will have its expiration date. And its expiration date is important, because no certificate under its chain can have an expiration date after the date of the Root CA Cert.

Usually Root CAs are never heard of been updated because of the following reasons:
- Their expiration date is usually set for lasting a long line. For example: 40 years.
- They are not renewed by the final user, they are renewed in the PKI itself. An administrator just works with it if it is an internal CA and its certificate needs to be renewed.
- OSs add new CAs to their repositories with OS updates, and usually the issuer companies add these updates (Other CAs) before the old ones expire.
- If a final digital certificate is renewed, then this process can be done with a different root CA, considering that the previously old CA is about to expire.

Author

Commented:
Excellent explanation! Thank you

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial