Creating a Certificate Renewal Strategy
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
CAs continue to issue and renew certificates until they reach the end of their established lifetimes. Certificates expire when the issuing CA reaches the end of its established lifetime, unless:
They are renewed with a new key pair to extend their lifetime.
They are revoked before the expiration date is reached.
They are considered to have expired because an issuing CA is unavailable to verify their validity.
Certificate lifetimes impact the security of your PKI for the following reasons:
Over a period of time, encryption keys become more vulnerable to attack. In general, the longer the period of time that a key pair is in use, the greater the risk that the key can be compromised. To mitigate this risk, you must establish maximum allowable key lifetimes and renew certificates with new key pairs before these limits are exceeded.
When a CA certificate expires, all subordinate CAs that depend upon this CA for validation also expire.
When a CA certificate is renewed, all certificates that have been issued by the CA can be renewed for a period based on the nesting guidelines described in the following section.
To reduce the risk of a private key becoming compromised, the private key and public key sets for certificates can be renewed each time the certificates are renewed, instead of when the keys reach their maximum lifetimes. You can renew CAs by assigning them a new key pair or by using the existing key pair. If you create a new key pair and the original certificate has not yet expired, it must have a new Subject Key Identifier (SKI) and a separate CRL. Renewing certificates with new key sets is not possible for some hardware-based CSPs, either because key storage limits prohibit this or because key generation takes a long time.
Note
- For more information about configuring certificate renewal, see "Selecting a Certificate Enrollment and Renewal Method" later in this chapter. For more information about the impact of certificate renewal on the use of certificate revocation lists, see "Establishing Certificate Revocation Policies" later in this chapter.
Certificate lifetimes affect the number of certificate renewal requests that are transmitted across your network. For users in remote offices who are connecting to the network across slow links, you might want to lengthen certificate lifetimes to reduce the number and frequency of these requests.
To create a certificate renewal strategy, determine the following:
Which certificates, if any, are you allowed to renew?
How often can a certificate be renewed before its key is retired?
In general, certificates with stronger keys that are used less frequently and that are less available to potential attackers can justify longer lifetimes and at least one renewal. Certificates with average key lengths and shorter lifetimes can be renewed more frequently — but not beyond the validity date for the certificate that authorizes the CA that issued the certificate. This is called nested validity or nested expiration.
Nesting Certificate Lifetimes
In addition to defining certificate lifetimes for your Windows Server 2003 CAs, you need to confirm that certificate lifetimes and renewals do not extend beyond the lifetimes of the CAs that are above them in the hierarchy.
By default, the certificate for the root CA has a longer lifetime than certificates for the other CAs in the hierarchy. This is because a Windows Server 2003 CA cannot issue certificates with a lifetime that extends beyond the validity period of its own certificate. If the lifetime specified for a requested certificate type exceeds the expiration date of the certificate of the CA, the CA truncates the lifetime of the issued certificate to match the expiration date for its own certificate.
For example:
If the end date of a Windows Server 2003 root CA certificate is January 2, 2012, no Windows Server 2003 child CA in the chain below the root can issue a certificate with a date that is past January 2, 2012.
If a Windows Server 2003 intermediate CA has a certificate end date of January 2, 2008, no Windows Server 2003 child CA can issue certificates with an end date that is past January 2, 2008.
If a Windows Server 2003 issuing CA has a certificate end date of January 2, 2004, no certificate that the CA issues can have an end date that is past January 2, 2004.
If the end date of a Windows Server 2003 CA certificate is January 2, 2004, and it receives a request to issue a one-year certificate on August 1, 2002, the CA issues the one-year certificate with an end date of July 31, 2003. However, if the CA receives a request to issue a one-year certificate on August 1, 2003, the CA issues the certificate with an end date of January 2, 2004.
A Windows Server 2003 CA with a certificate lifetime of five years with an end date of January 2, 2007, can issue one-year certificates until January 2, 2006, or two-year certificates until January 2, 2005. After January 2, 2005, the CA does not issue two-year certificates. It truncates the validity end date to January 2, 2007. Likewise, after January 2, 2006, the CA truncates the validity end date of both one-year and two-year certificates to January 2, 2007.
The more nesting you have in your certification hierarchy, the shorter the certificate lifetimes become. Configure your certificate life cycles in such a way as to avoid short certificate lifetimes and certificate renewal cycles. If you specify long lifetimes for CAs and later discover that the CAs are not secure, you can renew CAs in the certification hierarchy with shorter lifetimes to reduce the potential security risks.
Note
- For a worksheet to assist you in preparing your certificate life cycle plan, see "Windows Server 2003 Certificate Life Cycle Plan" (DSSPKI_3.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Windows Server 2003 Certificate Life Cycle Plan" on the Web at https://www.microsoft.com/reskit).