PKI Certificate Renewal Strategy: A Simple Cascading Schedule

Designing a strategy for Certificate Authority (CA) certificate renewal schedule can cause some confusion if you don’t understand the relationship between CA certificate renewals to end-entity certificate renewal overlaps.  However, the following these general guidelines can help CA certificate renew easily without shortening the life of the certificates.

Let’s take the example of a 3-tier CA hierarchy (Root CA, Intermediate CA and Issuing CA) with end-entity certificates valid for 1-year maximum.  One approach is to have Issuing CA certificates valid for at least double the life of its issued certificates, yet scheduled renewal with at least 1 year remaining (corresponding to the max life of end-entity  certificates).

For example:

In this example PKI with 1 -year maximum end-entity certificate lifetimes, the green bar shows the validity period of the Issuing CA certificate while the schedule (year 3, 6, 9, etc.) to the left of the bar shows the scheduled renewal times every 3 years.  (See chart below):

Since end-entity certificates in this example are available for 1 year maximum, the end-entity would be always be able to be issued for the 1 years because the Issuing CAs would have more than 1 year left because the Issuing CA certificates here are valid for 5 years total.

The Issuing CA in this example is scheduled for renewal every 3 years.  The Intermediate CA Certificates which are valid for 10 years could then be renewed prior to the 3^rd renewal of the Issuing CA certificate (every 9 years).  This would then allow the Root CA Certificate which is valid for 20 years to be renewed prior to the 2^nd renewal of the Intermediate CA certificate (every 18 years).

This type of cascading schedule is just one simple strategy that allows the end-entity and CA certificates to be issued on a regular schedule in a simple and easy-to-follow while allowing full certificate lifetimes for all issued end-entity and CA certificates.