5

In case of server SSL certificate it is issued by a CA which can then recall it until it expired and also the CA typically collects a fee for each certificate so it is interested in certificates expiring every year or so.

My question is about client certificates. Suppose I want to make calls to Azure Management API service. I generate a certificate on my computer, export it with a public key and then upload it into Azure Management Portal. Then I write some code that loads the same exported certificate from a local file and somehow magically authenticates the HTTPS connection. The Management API service gets the request and checks whether the certificate used is the right one.

The point is there's no authority here. If my certificates gets compromised I generate a new one myself and then go to the portal and add the new certificate and delete the old one. I then change my client software and whoever has copied my earlier certificate is locked out.

It sounds like it's in my interest to generate a certificate that expires as late as possible - something like 10+ or 50+ years from now.

Why would I not generate a certificate expiring as late as possible in this scenario?

Community
  • 1
sharptooth
  • 2,161
  • 1
  • 19
  • 22

2 Answers2

7

  1. Because what is considered adequate security 10 years ago is not the case today (or we'd all be using SSL_RSA_EXPORT_WITH_RC4_40_MD5).

  2. Because it makes CRLs umanageable - now we have OCSP for that but would require more frequent checking and moves the volume problem elsewhere.

  3. Because it doesn't fit the business model of the encumbent certification authorities - if there was a (provably) perfect cipher suite their revenue stream would be destroyed.

symcbean
  • 18,278
  • 39
  • 73
  • 1
    (I should also add that certificates may be compromised by other means than a direct attack on the cipher - i.e. the key might be stolen) – symcbean Jan 23 '15 at 10:38
  • I can generate a new certificate at any moment if I feel I have a weak one. And I'm generating it myself (no CA) anyway - no matter which expiration date I choose. – sharptooth Jan 23 '15 at 11:22
2

symcbean has a good answer, though I'm going to add another:

  1. Because while YOU will generate a new certificate at any moment if you feel you have a weak one, the average user (be it a company or an individual) WILL NOT generate a new certificate until their current certificate expires itself. And then they'll take all the defaults again - we just hope the new defaults are better than the old defaults.

This is true also if you're generating certs now, and someone else who is lazier and/or less informed takes over in the future for whatever reason (you retire to a privately owned tropical island, for example).

Anti-weakpasswords
  • 9,785
  • 2
  • 23
  • 51