What factors determine an appropriate SSL expiration date?

When buying an SSL certificate, what factors determine how many months/years you get it issued for? Is it arbitrary, or is one term length more appropriate in some circumstances?


Solution 1:

The exact timespans are essentially arbitrary but there is a point to having the certificates expire. The longer the cert is valid, the less administrative burden is on you to renew it all the time, but the downside is an attacker has longer to try to brute force the key before it changes. That's the point of expiring certs. Is to keep changing the keys so that attackers don't have an infinite amount of time in which to crack it. Root CA's typically have the longest life times. A CA cannot issue a certificate whose validity period outlasts its own.

Most companies have guidelines surrounding SSL certificate usage, and how long of a validity period certs may have. But it's mostly arbitrary. Shorter lifetimes = "safer."