In theory, could a CA make a certificate that is valid for arbitrarily long?
Solution 1:
You could, if you so desired, create a self-signed certificate which expires at 9999-12-31T23:59:59Z
, the largest possible date to encode by the current rules (the Y10k problem).
That certificate could then issue other certificates which also expired at that time.
The self-signed certificate will not get adopted by the OSes or browsers, though; because they all have rules against it.
Like the Microsoft Trusted Root Certificate: Program Requirements Rule 3: Root certificates must expire no more than 25 years after the date of application for distribution.
Surprisingly, there doesn't seem to be a concise statement of maximum validity for root authorities under CA/Browser rules, the Mozilla rules, or the Apple rules. Which probably means they just piggyback off of the Microsoft rules.
Solution 2:
If a CA had a root cert that had a suitably long expiration, they could issue certs for an equivalently long time. Certs issued by a CA will not be valid longer than the root cert even if the child cert has a longer expiration.
Solution 3:
You as a CA can put any best-before date in a X.509 certificate. In fact you can even skip that constraint.
The question is which client will accept them. This depends on the software package, on the software version, on the client configuration and possibly on other things from the context like time stamps, transparency logs, validity period of CA root and intermediates, actual kind of ca root (public or custom), key length, CRL freshness and OCSP content and others. So it it is hard to know without looking it all of this.
However the CA Browser Forum baseline requirements demand you only give a maximum validity of 39 month. A compliant web browser which relies on certificates most likely enforces this and stops trusting after this date (or never trust them):
In Section 6.3.2 of CA-Browser-Forum-BR 1.4.2:
Subscriber Certificates issued after 1 April 2015 MUST have a Validity Period no greater than 39 months.
It might be the case that it does not enforce this for custom roots. You certainly will use your trusted state if you do it for officially trusted certificates.
Solution 4:
In theory, could a CA make a certificate that is valid for arbitrarily long?
No, theory doesn't hold that a certificate authority (CA) can issue a certificate that's valid for arbitrarily long. The problem's that we can't be sure that the signature methods can't be broken.
In practice, yes, you can create a certificate that claims to expire in 2000 years. However, if its signature method becomes broken before that point, it'd be foolish for anyone to accept it. Also the certificate format may become obsolete.