9

If I create a CSR with openssl and set the expiration day to 5 years is it possible that the signing CA will set the expiry date to say one year ? Which one takes precedence ?

EDIT: ok, I think the answer from the StackOverflow post answers the question

Extract requested validity period from a Certificate Signing Request using OpenSSL

I've been trying to figure out how to request a specific validity period in a CSR, and as far as I can tell, the CSR simply doesn't carry that information. The CSR's structure is defined in PKCS#10 / RFC2986, and it doesn't have a field specifically for a requested validity period. The attributes and extensions that can be put in the CSR are listed in PKCS#9, and there's nothing there about validity periods. And finally, I can do a openssl asn1parse on my generated CSRs and find that there's no validity-period-related information included regardless of what I pass to openssl req"

Anders
  • 64,406
  • 24
  • 178
  • 215
cyzczy
  • 1,518
  • 5
  • 21
  • 34
  • 2
    It is very common that CAs ignore most of the information given in an CSR. Validity especially since it is influenced by standards like the CAB baseline as well as pricing terms. – eckes Aug 17 '17 at 00:14

1 Answers1

12

Correct. The relevant standard is the X.509 spec in RFC5280:

4.1.2.5. Validity

The certificate validity period is the time interval during which the CA warrants that it will maintain information about the status of the certificate.

Basically, as the certificate requester, you have absolutely no say in the validity period of your cert, this is 100% at the discretion of the CA.

To get an intuition for why this makes sense, consider the other use that X.509 was designed for: S/MIME email certs in a corporate environment. Clearly your corporate sysadmin gets to choose how often you roll over your keys, not the end-user.

This philosophy applies to web TLS certs in that CAs have a responsibility not to issue certs valid for a longer period that it will take to crack them (imagine someone requesting a 10-year cert for an RSA-1024 key). This responsibility is governed in part by the CA/Browser Forum. For example, see this CA/B requirement:

  1. What are in the Baseline Requirements?

Validity period for certificates issued after July 1, 2012 must not exceed 60 months and issued after April 1, 2015 must not exceed 39 months.

In practice, each CA has a fixed validity period for all certs it issues, though some CAs will issue longer certs at an increased price.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207