Certificate Manager internal CA and certificate validity

  • Hi,

    I'm running pfSense 2.4.2p1 and just started playing with the certificate manager. I have created an internal-ca with a validity of 10 years (default). I then created a new server certificate, but as a test entered a longer "valid until" date than the CA. I was a bit surprised to find the CA signed the certificate using the longer expiry date. My understanding was that a CA should only sign certificates based on its own valid until date. I can see a problem whereby a user will install a server certificate in future thinking it is valid for x number of years only to find the CA expires before.

    Does anyone know if this is a known issue that needs to be highlighted in a bug tracker?


  • LAYER 8 Global Moderator

    So your saying your CA good until say Jan 1 2028, and you cert says its good til jan 1 2030? or something like that?

    I do not believe there is a requirement in any RFC that a CA can not issue a cert longer than its current life.. While some CA's have implemented such a check - off the top of my head I am not aware of any specific RFC that declares a CA can not sign a cert with a life longer than the CA current life..

  • Thats correct. Thats what I'm seeing. I create a server certificate using the internal CA and it allows me to put a longer valid date on the certificate.

  • LAYER 8 Global Moderator

    See my edit…

    Even when the CA expires as long as you create the new CA with the private key of the old CA.. The signed cert will still validate off the new CA.. you would just need to trust the new CA you created from the old CA private key.

    If that wasn't the case as the CA got closer to its expire date you could only sign shorter and shorter lengths of time for certs...

  • OK thanks. I guess the server certificate would be deemed invalid once the CA expires anyway as the chain of trust would be broken? Putting a check into the code at the time of signing would prevent certificates mistakenly being signed with a non-valid expiry date, but then again I guess it is up to the admin to make sure his CA and the certificates being signed are using the correct dates in the first place  :)

  • LAYER 8 Global Moderator

    Yeah I do not think there is a RFC stating you can not sign certs long - there are scenarios when you would for sure need to be able to do that..

    Lets say you need to issue certs for 3 years, but your CA expires in 2.. so now you have to redo your CA 2 years before it expires.. That would suck ;)  So you just make sure that you create your NEW ca with the same private key before the 2 year expires.

Log in to reply