Best Practices for PKI Certification Authority Duration

Question

What are the recommended best practices for the duration of Certification Authorities (CAs), specifically for Root and Subordinate CAs?

Typically, Subordinate CAs have a duration of half that of the Root CA: such as 25 years for the Root and 10 years for the SubCA, or 10 years for the Root and 5 years for the SubCA.

Is there a recommendation from Microsoft for shorter durations or any new best practices related to this?

Thank you in advance for the assistance.

Answer 1

Hi 49885604,

I really want to cheat here and say....

 Align your PKI configuration to your organisation's security policy(ies).
```I am cautious about the term "Best Practices". I ask myself, 'Best for whom?' and 'Best for what sort of environment/organisation?' 

For example, in a highly automated, closely monitored (with highly tuned monitoring), robust proceedures (including calendars) for manual tasks and sufficent staffing, you can meet more stringent security posture with shorter key life times.

In a significant number of environments, the above is not sufficiently mature. 

Bear in mind. If you have Root CA =6yrs and Issuing =3yrs. Then before the 3 years come around, you need to do new CA certs AND distribute them to ALL your systems that need to trust the PKI. Whilst, in theory, this is fairly straighforward in a pure windows and AD environment with Windows PKI and all apps using the Windows certificate store, very few environments these days are like that. Think about non-AD joined windows, Apps (even on windows) which do not use Windows Certificate store (Java key stores, etc.) and non-Windows systems and devices which need to trust PKI, and dont forget cloud. Your processes and or automation must cater to all these scenarios. + every 6 years you have to do all your CAs including root.   
MS recommends you renew CAs at half their actual life (I'll try to remember to find that reference). So for a 6 year root you should renew that at 3yrs and a 3year issuing would be renewed at 18 months.

Regards,

P.s. Here's the reference....

[https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/pki-design-considerations](https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/pki-design-considerations)

"CAs can't issue certificates that are valid beyond their own validity period. A best practice is to renew the CA certificate when half of its validity period is expired. When installing a CA, you should plan this date and ensure that it's recorded as a future task."

Geoff

Answer 2

I think editing to add the reference broke the formatting - Let me redo that....

Hi 49885604,

I really want to cheat here and say....

Align your PKI configuration to your organisation's security policy(ies).

I am cautious about the term "Best Practices". I ask myself, 'Best for whom?' and 'Best for what sort of environment/organisation?'

For example, in a highly automated, closely monitored (with highly tuned monitoring), robust proceedures (including calendars) for manual tasks and sufficent staffing, you can meet more stringent security posture with shorter key life times.

In a significant number of environments, the above is not sufficiently mature.

Bear in mind. If you have Root CA =6yrs and Issuing =3yrs. Then before the 3 years come around, you need to do new CA certs AND distribute them to ALL your systems that need to trust the PKI. Whilst, in theory, this is fairly straighforward in a pure windows and AD environment with Windows PKI and all apps using the Windows certificate store, very few environments these days are like that. Think about non-AD joined windows, Apps (even on windows) which do not use Windows Certificate store (Java key stores, etc.) and non-Windows systems and devices which need to trust PKI, and dont forget cloud. Your processes and or automation must cater to all these scenarios. + every 6 years you have to do all your CAs including root.

MS recommends you renew CAs at half their actual life (I'll try to remember to find that reference). So for a 6 year root you should renew that at 3yrs and a 3year issuing would be renewed at 18 months.

Regards,

P.s. Here's the reference....

https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/pki-design-considerations

"CAs can't issue certificates that are valid beyond their own validity period. A best practice is to renew the CA certificate when half of its validity period is expired. When installing a CA, you should plan this date and ensure that it's recorded as a future task."

Answer 3

Hello 49885604,

Thank you for posting in Q&A forum.

You can combine your actual environment and best practices to determine the PKI Certification Authority duration.

References:

https://techcommunity.microsoft.com/blog/configurationmanagerarchive/recommendations-for-pki-key-lengths-and-validity-periods-with-configuration-mana/272758

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc740209(v=ws.10)?redirectedfrom=MSDN#planning-for-the-renewal-of-a-ca

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11)

https://techcommunity.microsoft.com/blog/askds/designing-and-implementing-a-pki-part-ii-implementation-phases-and-certificate-a/397198

Here is another link you can read.

https://www.keytos.io/docs/azure-pki/creating-your-first-ca/what-is-the-best-validity-period-for-a-ca/

Thank you for posting in Q&A forum.

I hope the information above is helpful.

If you have any questions or concerns, please feel free to let us know.

Best Regards,

Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.