Why issue a SSL certificate that expires in 2037?

In Firefox, if I view the Verisign Universal Root Certificate Authority, I notice that it expires in 2037.

(Settings tab -> advanced -> view certificates -> VeriSign Universal Root Certification Authority -> View.)

Why does it have a lifetime of 23 years?
Why wouldn't they set it to expire earlier? Or later?


Solution 1:

The expiry was set in 2037 to avoid the possibility of running into the Unix year 2038 date problem. Basically in early 2038 Unix dates will no longer fit in a signed 32bit integer so using a date just before then avoids triggering any code not yet updated to fix the problem.

Root certificates take all chained certificates with them when they expire so from a practical perspective need to expire after any chained certificates.

Solution 2:

If I understand your question, replacement root certificates would need to be redeployed to the clients. So odds are, their lifetime is set far enough out where there is little or no chance of the root cert expiring.