Share via

What is a good certificate expiration time and how do you decide?

Anonymous
2024-09-05T15:26:35+00:00

I've recently been asked to extend my workstation certificate expiration time to something longer than I currently have. I don't really want to say what it currently is, but I'm looking for advice on how to gauge a safe expiration time.

We are a fairly large school district. We manage our own PKI infrastructure for all internal certificate usage, as it is much cheaper than buying hundreds of certificates for each service.

We primarily use workstation certificates to authenticate on wireless. We may also use them for VPN configurations in the future, as we move toward AOV.

The problem is that we have a few schools that have laptop carts for student use. They have a tendency to sit in a closet for long periods of time and their computer certificates tend to expire while they sit.

Others are complaining that they may be expiring over the Summer, but I'm not so concerned about those. That's just an issue of timing, but for computers that sit for long periods of time, those are pain points for some people.

I'm trying my best to keep it simple because I'm pretty much the only person that manages our PKI.

What security concerns should I consider? What would you consider a long enough expiration time frame for your computers, particularly laptops?

Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-09-05T16:17:29+00:00

    Hello RCooley33,

    Thank you for posting in Microsoft Community forum.

     What security concerns should I consider? What would you consider a long enough expiration time frame for your computers, particularly laptops?

     A: At least one year. Maybe you can set it 3-6 years.

    However, the issued certificate validity period depends upon least value of below.

    a)     The expiry date of issuing CA certificate

    b)    The validity period that is defined in the registry affects all certificates that are issued by Stand-alone and    

            Enterprise CA. For Enterprise CA, the default registry setting is two years.

            For Stand-alone CA, the default registry setting is one year     

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration<CAName>\ValidityPeriodUnits

    c)    The template validity period in case of Enterprise (AD integrated) CA

    They have a tendency to sit in a closet for long periods of time and their computer certificates tend to expire while they sit.
    A: for this question, you can use autoenrollment GPO policy.

    Set Up Automatic Certificate Enrollment (Autoenroll)

    https://www.vkernel.ro/blog/set-up-automatic-certificate-enrollment-autoenroll

    I hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    0 comments
  2. Anonymous
    2024-09-05T16:47:57+00:00

    We already do auto-enrollment.

    If I connect this computer to a network that can get group policy updates, will it also be able to auto-enroll with an expired certificate? What would prevent it from re-enrolling or renewing or replacing an expired certificate?

    Also, what are my risks if the device is stolen or lost?

    0 comments
  3. Anonymous
    2024-09-06T08:44:09+00:00

    Hello

    Good day!

    *If I connect this computer to a network that can get group policy updates, will it also be able to auto-enroll with an expired certificate?*A1: No, the expired certificate cannot be renewed. You should re-enroll a new one certificate.

    What would prevent it from re-enrolling or renewing or replacing an expired certificate?

    A2: For one certificate that will expire (not expired), if there is no connection between domain machines and domain /domain controller.
    If one certificate is already expired, this expired certificate will not be renewed.

    Also, what are my risks if the device is stolen or lost?

    A3: If your device is stolen or lost, there are several risks you might face:

    1.Data Theft:

    Personal and sensitive information, such as contacts, emails, photos, documents, and passwords, may be accessed by unauthorized individuals.

    2.Identity Theft:

    Criminals might use the information on your device to impersonate you or access your accounts, leading to financial loss and legal issues.

    3.Unauthorized Purchases:

    If payment information is stored on your device, it could be used to make unauthorized purchases.

    4.Access to Online Accounts:

    Your social media, banking, and other accounts might be at risk if they can be accessed through your device.

    5.Loss of Work or Personal Files:

    Important work documents or personal files might be lost if you haven't backed them up.

    6.Security Breach:

    If your device is connected to a corporate network, it might pose a security risk to your company.

    To mitigate these risks, here are some steps you can take:

    • Use strong passwords and enable two-factor authentication on your accounts.
    • Encrypt your device if possible.
    • Enable remote tracking and wiping features so you can locate or erase your device if it's lost or stolen.
    • Regularly back up your data to a secure location.
    • Notify your service provider and relevant institutions (like banks) if your device is lost or stolen.

    Best Regards,
    Daisy Zhou

    0 comments