Hi Jaime, >> Thanks for the help, i will start a new CA as soon as posible. How >> long expiration time should be ok for a corporate ca cert, 20 or 30 >> years? > >> Seems that verisign and entrust use 20 or 30 years for their ca certs. > > Thats right, but most security folks dont like such long times - I > suggest 8 years - so if you issue 2 year-valid enduser certs you have 6 > years "usage" time
I agree on Olivers opinion. 8 years sounds reasonable. If you really want to address CA rollover properly, issue a new CA after 4 years and use the new one for issuing certs from then on. The old CA should only be used for issuing CRLs. That way you are able to issue end entity certs with a maximum validity of four years at any given point in the CA lifecycle. Martin ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
