What factors determine an appropriate SSL expiration date?

ssl ssl-certificate

When buying an SSL certificate, what factors determine how many months/years you get it issued for? Is it arbitrary, or is one term length more appropriate in some circumstances?


Solution 1:

The exact timespans are essentially arbitrary but there is a point to having the certificates expire. The longer the cert is valid, the less administrative burden is on you to renew it all the time, but the downside is an attacker has longer to try to brute force the key before it changes. That's the point of expiring certs. Is to keep changing the keys so that attackers don't have an infinite amount of time in which to crack it. Root CA's typically have the longest life times. A CA cannot issue a certificate whose validity period outlasts its own.

Most companies have guidelines surrounding SSL certificate usage, and how long of a validity period certs may have. But it's mostly arbitrary. Shorter lifetimes = "safer."

Related

Unable to ping between host machines and guest vms running on Vmware
Should I install vanilla ESXi or the Dell customised version on a new cluster of R620
Modifying /etc/hosts to easily access a domain name (or ip address) for amazon EC2 instance
Disable Connection:keep alive in Jetty 9
Simple monitoring solution for a single server [closed]
Linux system configuration management: versioning and deployment
sudo does not prompt for password and reports 3 incorrect password attempts
How to restore pam configuration?
Will UUID be the same if a disk moved from one machine to another?
nginx multiple domain point to same location
Incoming (ingress) traffic shaping on Linux - bw is lower than expected
Mysterious Bandwidth Usage