* sgsax hates ssl certs
< Landon> indeed
< Landon> next time my servers cert expires I'm just going to make one 
                for 100 years or something ridiculously long

Is there anything wrong with the above reasoning? Obviously someone might brute force it in 100 years, but how do you determine what's acceptable time frame?

  • 14,122
  • 19
  • 73
  • 129

3 Answers3


It greatly depends on what your cert is for. If it is for identifying a specific website, you can probably make one that lasts until the expiry date for that domain. After the domain is renewed, you can also renew the SSL cert.

But if you are making a root cert for your own CA, you may want to make a long-term cert so that all the other certs generated by your own CA does not become invalid too soon. Something like 10 years is probably fine.

So, it all depends.

  • 7,357
  • 1
  • 19
  • 19

to build on diffbeer703, this is about identity and integrity. the identity verified by the certificate is trusted because the signing CA is trusted. if the CA signs certificates for 100, that generally is not trustworthy behavior and so the certificates they sign should not be trusted.

it is unlikely that a server identity will remain the same, let alone in existence for 100 years. also if the server is compromised its certs can be stolen and used to identify another server as yours. short lived certs make more frequent cert verification necessary thus making server identity theft less of a threat.

if you manage the entire chain then, it is less of a concern especially if the only person needing the server identity verified is you. the more people depending on the server identity the more important it is that good practices are followed by the CA.

Mark Carey
  • 151
  • 2
  • Isn't that what a CRL is for, listing revoked certs? – Bill Weiss Dec 10 '09 at 01:35
  • If you don't really know what you are doing, will you even know that a cert still exists in 2020. The motivation for the 100 year cert sounded like laziness to me. – duffbeer703 Dec 10 '09 at 02:10
  • @bill CRL's are frequently not honored or checked by many ssl clients. It's still good practice to use them, but it's not a panacea. Good practices are good practices for a reason. – Mark Carey Dec 10 '09 at 07:09

Can you do it? Sure -- if you're generating a throwaway self-signed cert that is for trivial business or personal use. If you're going to setup a PKI for anything more serious, you need to learn more about the issues involved.

PKI is about more than just encryption -- its about establishing a chain of trust.

A good resource is "Windows Server 2008 PKI and Certificate Security by Brian Komar", describes all of the various PKI scenarios that you are likely to care about. You don't need to use Microsoft's CA to get something out of the book.

  • 20,077
  • 4
  • 30
  • 39