Most if not all server certificates that I work with expire before its issuer, but is it possible for a server certificate to expire after its issuer and does this apply to an intermediate certificate as well (expire after the root certificate)?
If so, should a client trust a remote with a expired intermediate certificate while the server certificate hasn't?
I've looked into Certification authority root certificate expiry and renewal, but I don't fully understand the answer.
According to the SSL FAQ:
the validity (and thus level of trust) of a given certificate is determined by the corresponding validity of the higher-level certificate that signed it.
So while it is technically possible to make a certificate which lasts longer than its issuer, it makes no sense, as the chain becomes broken the moment an intermediate (or the root) certificate becomes invalid (for whatever reason). No client should (and none does) trust such a chain.
The signature of the certificate depends only on the public key in the issuer certificate and not on the expiration of the issuers certificate or other parameters. The path validation though depends on all certificates in the trust chain not being expired.
If the client has only the server certificate and an expired issuer certificate then the path validation should fail. But it is quite common that certificates get renewed, i.e. a new certificate with a different expiration but the same public key gets created. This is true for CA certificates too. Thus if the client has this new issuer certificate it can still validate the issuers signature since it only depends on the public key which stayed the same. And if the renewed CA certificate is also not expired the path validation succeeds even if at the time of the lead certificate creation another CA certificate was used.
