North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: PKI operators anyone?

  • From: Security Admin (NetSec)
  • Date: Wed Sep 05 22:55:35 2007
  • Accept-language: en-US
  • Acceptlanguage: en-US

"MS-PRESS recommended design guidelines for multi-tier PKI systems for
validity periods are along the lines of

8 years for the root
4 years for the "policy"
2 years for the "issuing"
1 year for the issued certificate"

Don't forget that Microsoft would like you to buy their OS once every five years or so, not every 80 years.

4 tiers is a bit much; three would work fine in most organizations.  IMHO 10/5/3/1 is OK, 10/5/2 for three tier.  Issuing certs to clients can be automated via GPO and zero client downtime.  It is the renewal upstream to the root CAs by the subordinates which can casue issues and downtimes if not properly managed.

Edward Ray