KRA certificate validity period

Hobbit1082 41 Reputation points

Hello everyone,

I'll set up KRA soon for a new PKI.

KRA certificates will be stored on dedicated smartcards to be sure they don't get lost.

I am currently thinking about the best practice regarding KRA certificate validity period. Should I keep it to 2 years or extend it to the validity period of the CA (10 years)? From my point of view:

  • Extending the KRA certificate validity will require less maintenance for the admins (less certificate renewal).
  • KRA certificate will be stored on smart card, it won't be much exposed. So increasing the validity period would not be a security risk.

But, I'm probably missing something here. Could you tell me what you think about it, and what you recommend ?

As usual, thank you for your time :)

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,746 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vadims Podāns 9,111 Reputation points MVP

    Should I keep it to 2 years or extend it to the validity period of the CA (10 years)?

    yes, that's what *I* would recommend. There is no practical reason to use short certificates for KRA since it doesn't require key exposure (unlike TLS, email or code signing certs) and it is easy to provide same security level like it is done for CA key. Frquent KRA changes will eventually lead to an inability to recover required key and increased maintenance costs. Moreover, you can consider to use a self-signed certificate (which must be trusted by CA server only), so KRA cert isn't tied to CA and doesn't rely on CA revocation information. If there is a need to replace cert -- an admin just replaces KRA cert in CA configuration.

    Keep in mind that it is not an industry standard. But my personal experience (10+ years in PKI field) suggests that this is the right way to do this thing.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Hobbit1082 41 Reputation points

    Thank you for your answer !

    0 comments No comments