Why issue a SSL certificate that expires in 2037?

ssl-certificate certificate-authority

In Firefox, if I view the Verisign Universal Root Certificate Authority, I notice that it expires in 2037.

(Settings tab -> advanced -> view certificates -> VeriSign Universal Root Certification Authority -> View.)

Why does it have a lifetime of 23 years?
Why wouldn't they set it to expire earlier? Or later?


Solution 1:

The expiry was set in 2037 to avoid the possibility of running into the Unix year 2038 date problem. Basically in early 2038 Unix dates will no longer fit in a signed 32bit integer so using a date just before then avoids triggering any code not yet updated to fix the problem.

Root certificates take all chained certificates with them when they expire so from a practical perspective need to expire after any chained certificates.

Solution 2:

If I understand your question, replacement root certificates would need to be redeployed to the clients. So odds are, their lifetime is set far enough out where there is little or no chance of the root cert expiring.

Related

How do I print the current hostname of a host in ansible
Is there any difference between "file" and "./file" paths?
service httpd restart / (98)Address already in use
What does "Unlocking" an AD account that is not locked do?
Using GIT variables in a declarative Jenkins pipeline
Ansible conditionals - Wildcard match string
Accidentally deleted python and yum is not working in centos7 [closed]
Why is "DbccFilesCompact" status is "Suspended"?
Git : seemed to be in "(no branch)" and then lost my changes
Slash Notation IP - What is what?
How do you choose your IP addressing?
Why does ethernet have a minimum frame size specified?