Today, I was asked by a client to look at best practices for digital certificates, such as X.509 and the like. I extended that research to include all types of encryption certificates, SSL/code signing, etc.
Basically, there was a dearth of best practice information available for setting the expiration dates on certs issued for various purposes.
We found a wealth of mentions in PCI, FFIEC, FDIC, NCUA, HIPAA, NIST and other guidance about checking to make sure that expiration dates were valid, reasonable and such, but no real guidance for what “reasonable” is or anything to cite to make a statement that your approach and processes fit the reasonable judgement. There were plenty of guidance sources on checking authenticity of certs, vendor selection and all of that, but little to help organizations in their attempts to define reasonable best practices for how long certs should live once issued.
Our next step was to take a look at the practices of some of the leading certificate vendors and see if we could establish a consensus from their approaches. Quick checks into their process revealed the following:
The major certificate vendors (Verisign, Thawte, etc.) issue certificates with a maximum life span of 2-3 years for most purposes. They explained that this minimized the overhead management work for them while establishing enough care for cryptographic changes (this doesn’t happen right? MD5 nightmare anyone, anyone?), organizational changes and churn in their client base. Secondary vendors (Comodo, RapidSSL, GlobalSign, etc.) in this arena issue certificates for a maximum of 5 years. It appears that they are willing to extend trust a little further to minimize their workload/overhead in management of the certs and processes.
Generally speaking, after reviewing this data, the various standards and processes and the mechanisms that the “big boys” use, I would offer the following as a best practice for setting up expirations on certificates in general.
The best practice for establishing expiration dates on certificates should be two years with a hard set maximum of five years. Two years should be the established baseline for processes and organizations with any increases (up to a maximum of five years) requiring appropriate risk assessment/acceptance from responsible parties in an organization.
I hope this helps folks who are working on establishing certificate systems and other processes in their organizations. If you disagree with my approach or work, please let me know. I am always open to comments via the blog or @lbhuston on Twitter. Thanks for reading!