Can a server certificate expire after its issuer?

According to the SSL FAQ:

the validity (and thus level of trust) of a given certificate is determined by the corresponding validity of the higher-level certificate that signed it.

So while it is technically possible to make a certificate which lasts longer than its issuer, it makes no sense, as the chain becomes broken the moment an intermediate (or the root) certificate becomes invalid (for whatever reason). No client should (and none does) trust such a chain.


The signature of the certificate depends only on the public key in the issuer certificate and not on the expiration of the issuers certificate or other parameters. The path validation though depends on all certificates in the trust chain not being expired.

If the client has only the server certificate and an expired issuer certificate then the path validation should fail. But it is quite common that certificates get renewed, i.e. a new certificate with a different expiration but the same public key gets created. This is true for CA certificates too. Thus if the client has this new issuer certificate it can still validate the issuers signature since it only depends on the public key which stayed the same. And if the renewed CA certificate is also not expired the path validation succeeds even if at the time of the lead certificate creation another CA certificate was used.