5

We are deploying a security solution which uses certificates to validate documents. These certificates are issued by our government-authorized CA.

What if in a distant future, the CA who provided us with certs no longer works? How is this type of incident normally addressed? As a certificate owner, are we obligated to buy another certificate from another CA? Is this problem normally handled by the CA?

StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
Kl0b
  • 51
  • 1

2 Answers2

2

Certificates are transient in nature: they expire, and must be renewed. Even worse, the validity of a certificate is the property of the current time, since certificates may be revoked at any time. Therefore, if you want to store signed documents, and be able to validate them at a later date, then you need time stamps. See this answer for some details.

While time stamps protect your signed documents against a cessation of activity from the CA, an abrupt closure would still be a problem since, by ceasing to issue CRL on a regular basis, the CA effectively revokes all existing certificates (at least that's the effect from the outside). Normally, contracts with CA include strict clauses on the continuity of operations; up to an including financial provisions and/or to guarantee that even in case of total business failure, CRL will still be issued for some years.

When you renew your certificate, you are actually acquiring a new one. Nothing forces you to get that second certificate from the same source as the other one. You may think of these certificates as "the old one" and "the new one", but from an X.509 point of view they are just two certificates, that may relate to distinct issuing CA. You will have to renew certificates on a regular basis anyway, since they have expiration dates. An out-of-business CA may "just" force you to renew earlier than expected.

Alternatively, you may want to operate your own CA, but it is going to be very expensive if you want to do it properly (a serious CA is 5% technology, 95% people and procedure).

Community
  • 1
Tom Leek
  • 168,808
  • 28
  • 337
  • 475
0

It seems as though they will last until the expiration of the certificates (as in, past the shutdown of the CA)

Quoting from this reddit thread

IIRC, If the certs are not in a CRL, they should work until their expiration date regardless of if the CA is online. The CA will continue to function after being p2v'ed so long as the server name doesn't change. IP Address wont matter.

majorROM
  • 73
  • 5
  • If the last available CRL has a `nextUpdate` field in the past, and no newer CRL is produced by the CA, then systems that validate the certificates ought to reject them, because "certificate revocation status cannot be ascertained". Web browsers are an exception, since they just don't really bother honouring revocation. – Tom Leek Jul 13 '15 at 22:28