Why Root CA Cert does not have expiration date?

Hi As we know the below is a chain. The last two elements have expiration date. and need to update. But I have not heard the first one Root CA Cert need to update. Why is that? Thank you

Root CA Cert > Intermediate CA Cert (bundle of Sub CA) > Server SSL cert
eemoonAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Schnell SolutionsConnect With a Mentor Systems Infrastructure EngineerCommented:
If they are certificates using the standard X.509 the CA normally will have its expiration date. And its expiration date is important, because no certificate under its chain can have an expiration date after the date of the Root CA Cert.

Usually Root CAs are never heard of been updated because of the following reasons:
- Their expiration date is usually set for lasting a long line. For example: 40 years.
- They are not renewed by the final user, they are renewed in the PKI itself. An administrator just works with it if it is an internal CA and its certificate needs to be renewed.
- OSs add new CAs to their repositories with OS updates, and usually the issuer companies add these updates (Other CAs) before the old ones expire.
- If a final digital certificate is renewed, then this process can be done with a different root CA, considering that the previously old CA is about to expire.
0
 
eemoonAuthor Commented:
Excellent explanation! Thank you
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.