On 06.10.23 22:17, Bo Berglund wrote:
In easyrsa2 one could enter a longer expiration [...] like 7300 (20 years). [...] will my suggested expirations above not work?
Define "work". If you create a CA cert with a lifetime of 20 years and leaf certs with a lifetime of 100 days less today, and keep using the software of today, then your clients and servers will still be able to communicate in mid-2043.
Note that a leaf cert you create with that CA in 2030 with a lifetime of 7200 days, however, SHOULD cease to be accepted when the CA cert expires in October 2043, *not* at the time of its *own* expiry (in 2049/2050).
Last not least, for how long your setup will "work" in the sense of "be sufficiently safe against intrusion/cracking attempts" is an entirely different question. The BSI, for example, refuses to speculate about the suitability of entire *algorithms* further than seven years down the road
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-2.pdf?__blob=publicationFile&v=5#%5B%7B%22num%22%3A31%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C99.2%2C302.739%2C0%5Dand if even *if* RSA were still acceptable in 2043, chances are that the OpenSSL versions available then might outright reject your 3 or 4 kb CA keypair as being of insufficient length, or balk at hashes predating SHA-4.
Add to that that there's always the possibility of a privkey being leaked (rogue employee?), thus requiring it being revoked and replaced - at the least preferable time of course, as usual.
My conclusion is that the most important thing to do to make whatever system using a PKI survive a decade or more is not to pick some "good and immortal" crypto parameters from day one, but to make sure that you got keypair/cert/CRL rollovers implemented end-to-end and well-tested while you still have a nominal devel budget for the project.
Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
