This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 56.00000000000001%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
Hello everyone,
I'll set up KRA soon for a new PKI.
KRA certificates will be stored on dedicated smartcards to be sure they don't get lost.
I am currently thinking about the best practice regarding KRA certificate validity period. Should I keep it to 2 years or extend it to the validity period of the CA (10 years)? From my point of view:
But, I'm probably missing something here. Could you tell me what you think about it, and what you recommend ?
As usual, thank you for your time :)
Should I keep it to 2 years or extend it to the validity period of the CA (10 years)?
yes, that's what *I* would recommend. There is no practical reason to use short certificates for KRA since it doesn't require key exposure (unlike TLS, email or code signing certs) and it is easy to provide same security level like it is done for CA key. Frquent KRA changes will eventually lead to an inability to recover required key and increased maintenance costs. Moreover, you can consider to use a self-signed certificate (which must be trusted by CA server only), so KRA cert isn't tied to CA and doesn't rely on CA revocation information. If there is a need to replace cert -- an admin just replaces KRA cert in CA configuration.
Keep in mind that it is not an industry standard. But my personal experience (10+ years in PKI field) suggests that this is the right way to do this thing.
Thank you for your answer !