> On 1 Aug 2017, at 6:13 pm, Peter Bowen via Public <[email protected]> wrote: > > We’ve had an interesting situation come up that isn’t clearly covered in the > BRs. … > So I have two questions: > 1) Does anyone think setting a notBefore well before the issuance dates a > problem, as long as the certificate includes a timestamp that represents the > issuance date and the CA previously issued a certificate for the same domain > name(s) to the same applicant that has a validity period that spans from the > notBefore to issuance date?
I can’t immediately think of any reason not to allow this, but if you do this, please create a precertificate, upload it to CT, and put a SCT in the certificate as an indicator of the the actual time of issuance. (I think it’s a good general rule that the more weird is the thing you’re doing, the more transparent you want to be about it.) > 2) What is the latest acceptable notAfter date? 39 months (or 825 days in > the future) from the notBefore date or from the issuance date? From the issuance date—in the BRs, the ‘Validity Period’ runs from issuance to expiry. In fact I can’t find anything in the BRs about when the notBefore timestamp should be. What people will actually check is the time between the SCT and the certificate expiry. Make sure that’s less than 39 months/825 days.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
