Unsolved CA Validity Periods

black3dynamite

@Obsolesce said in CA Validity Periods:

@black3dynamite said in CA Validity Periods:

@Obsolesce So when year 20 comes around, you just redeploy a new RootCA server?

Oh, to specifically answer your question. You don't need to redeploy the RootCA unless there's a reason to.

If you turn on the offline RootCA 8 years later to renew your SubCA cert, where's the issue? So long as you can reissue the cert and the cert still meets all security requirements, issue the cert, or renew yoru RootCA cert first then reissue the SubCA cert, then turn it off again for 8 more years and re-evaluate then. It's offline, and turned off... literally zero changes, it should come back upjust fine in theory.

If you have it turned on and networked for 8-20 years or whatever, i'm sure it's more likely to fuck up than if it's turned off.

Wouldn’t it be wise to keep OpenSSL/LibreSSL updated at least?

Obsolesce

@black3dynamite said in CA Validity Periods:

@Obsolesce said in CA Validity Periods:

@black3dynamite said in CA Validity Periods:

@Obsolesce So when year 20 comes around, you just redeploy a new RootCA server?

Oh, to specifically answer your question. You don't need to redeploy the RootCA unless there's a reason to.

If you turn on the offline RootCA 8 years later to renew your SubCA cert, where's the issue? So long as you can reissue the cert and the cert still meets all security requirements, issue the cert, or renew yoru RootCA cert first then reissue the SubCA cert, then turn it off again for 8 more years and re-evaluate then. It's offline, and turned off... literally zero changes, it should come back upjust fine in theory.

If you have it turned on and networked for 8-20 years or whatever, i'm sure it's more likely to fuck up than if it's turned off.

Wouldn’t it be wise to keep OpenSSL/LibreSSL updated at least?

How's that going to effect the certificate your SubCA or RootCA needs? You're bringing up the RootCA to create a certificate, that's it.

black3dynamite

@Obsolesce said in CA Validity Periods:

@black3dynamite said in CA Validity Periods:

@Obsolesce said in CA Validity Periods:

@black3dynamite said in CA Validity Periods:

@Obsolesce So when year 20 comes around, you just redeploy a new RootCA server?

Oh, to specifically answer your question. You don't need to redeploy the RootCA unless there's a reason to.

If you turn on the offline RootCA 8 years later to renew your SubCA cert, where's the issue? So long as you can reissue the cert and the cert still meets all security requirements, issue the cert, or renew yoru RootCA cert first then reissue the SubCA cert, then turn it off again for 8 more years and re-evaluate then. It's offline, and turned off... literally zero changes, it should come back upjust fine in theory.

If you have it turned on and networked for 8-20 years or whatever, i'm sure it's more likely to fuck up than if it's turned off.

Wouldn’t it be wise to keep OpenSSL/LibreSSL updated at least?

How's that going to effect the certificate your SubCA or RootCA needs? You're bringing up the RootCA to create a certificate, that's it.

What happens if browsers like Firefox, Edge or Chrome in end up requiring certain new encryptions or cryptography like one of the elliptic curve types. And because the RootCA server has been offline for so long, that it has an older SSL version, now you will have to get the server updated either offline or online.

Obsolesce

@black3dynamite said in CA Validity Periods:

@Obsolesce said in CA Validity Periods:

@black3dynamite said in CA Validity Periods:

@Obsolesce said in CA Validity Periods:

@black3dynamite said in CA Validity Periods:

@Obsolesce So when year 20 comes around, you just redeploy a new RootCA server?

Oh, to specifically answer your question. You don't need to redeploy the RootCA unless there's a reason to.

If you turn on the offline RootCA 8 years later to renew your SubCA cert, where's the issue? So long as you can reissue the cert and the cert still meets all security requirements, issue the cert, or renew yoru RootCA cert first then reissue the SubCA cert, then turn it off again for 8 more years and re-evaluate then. It's offline, and turned off... literally zero changes, it should come back upjust fine in theory.

If you have it turned on and networked for 8-20 years or whatever, i'm sure it's more likely to fuck up than if it's turned off.

Wouldn’t it be wise to keep OpenSSL/LibreSSL updated at least?

How's that going to effect the certificate your SubCA or RootCA needs? You're bringing up the RootCA to create a certificate, that's it.

What happens if browsers like Firefox, Edge or Chrome in end up requiring certain new encryptions or cryptography like one of the elliptic curve types. And because the RootCA server has been offline for so long, that it has an older SSL version, now you will have to get the server updated either offline or online.

That has to do with the certificate issued to the web server, not the root/sub certificates.

Obsolesce

@Obsolesce said in CA Validity Periods:

@black3dynamite said in CA Validity Periods:

@Obsolesce said in CA Validity Periods:

@black3dynamite said in CA Validity Periods:

@Obsolesce said in CA Validity Periods:

@black3dynamite said in CA Validity Periods:

@Obsolesce So when year 20 comes around, you just redeploy a new RootCA server?

Oh, to specifically answer your question. You don't need to redeploy the RootCA unless there's a reason to.

If you turn on the offline RootCA 8 years later to renew your SubCA cert, where's the issue? So long as you can reissue the cert and the cert still meets all security requirements, issue the cert, or renew yoru RootCA cert first then reissue the SubCA cert, then turn it off again for 8 more years and re-evaluate then. It's offline, and turned off... literally zero changes, it should come back upjust fine in theory.

If you have it turned on and networked for 8-20 years or whatever, i'm sure it's more likely to fuck up than if it's turned off.

Wouldn’t it be wise to keep OpenSSL/LibreSSL updated at least?

How's that going to effect the certificate your SubCA or RootCA needs? You're bringing up the RootCA to create a certificate, that's it.

What happens if browsers like Firefox, Edge or Chrome in end up requiring certain new encryptions or cryptography like one of the elliptic curve types. And because the RootCA server has been offline for so long, that it has an older SSL version, now you will have to get the server updated either offline or online.

That has to do with the certificate issued to the web server, not the root/sub certificates.

What you choose on the Microsoft RootCA is a good CSP. The RSA MSKSP should be fine for a super long time: https://docs.microsoft.com/en-us/windows/desktop/SecCertEnroll/cryptoapi-cryptographic-service-providers

IRJ

@Obsolesce , yes CA being offline or at least pulling the private key off is pretty common.

Obsolesce

And obviously, if something drastically changes, then in any case whatsoever, you'd have update the root cert regardless. You can't simply change a root cert even if it's 100% online and updating. You'd still have to change the root cert and redeploy all certs.

IRJ

@Obsolesce said in CA Validity Periods:

And obviously, if something drastically changes, then in any case whatsoever, you'd have update the root cert regardless. You can't simply change a root cert even if it's 100% online and updating. You'd still have to change the root cert and redeploy all certs.

This is a decent quick overview of when to use existing key pair vs new key pair when re-issuing CA certs.

https://social.technet.microsoft.com/wiki/contents/articles/2016.root-ca-certificate-renewal.aspx

Obsolesce

@IRJ said in CA Validity Periods:

@Obsolesce said in CA Validity Periods:

And obviously, if something drastically changes, then in any case whatsoever, you'd have update the root cert regardless. You can't simply change a root cert even if it's 100% online and updating. You'd still have to change the root cert and redeploy all certs.

This is a decent quick overview of when to use existing key pair vs new key pair when re-issuing CA certs.

https://social.technet.microsoft.com/wiki/contents/articles/2016.root-ca-certificate-renewal.aspx

Right, but that's a different and separate topic.

scottalanmiller

Was this answered or is an answer still needed?