[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Re: expiring certificates

  • Subject: [Openvpn-users] Re: expiring certificates
  • From: Charles Duffy <cduffy@xxxxxxxxxxx>
  • Date: Wed, 02 Mar 2005 00:24:13 -0600

On Wed, 02 Mar 2005 15:01:58 +0000, Nik wrote:

> Q1: Except for guaranteeing commercial certificate authorities continued
> revenues, what is the case for making the various certificates expire?

Let me start with a few examples:

- Let's say that there's an attack against RSA discovered that cuts 13
  bits off the effective key length (meaning that the total time for a
  brute force attack is less than 1/8000th of what it had been). You'll
  want to create new certificates with larger keys, right? Having your old
  keys expire provides an opportunity to recreate them with lengths that
  are more in-line with current standards.

- Your company is disposing a bunch of old hardware -- including a
  server, out of commission for years, that hasn't had its HD wiped. You
  have a valid private key signed by your company CA on there, IT
  neglected to revoke the certificate when the system was decommissioned
  (or your CRL isn't widely used or distributed) and the key is
  unencrypted so your server can boot without human intervention? Oops.

Valid certificates provide attack vectors -- enabling MITM attacks,
ex-employees with access to your internal systems, scammers putting up
servers that claim to belong to your company, and so forth. Having these
certificates expire helps keep them under control -- so that the only ones
out there are ones that you *want* to be there, because you kept renewing
them. A key/cert pair may fall through the cracks, but even should that
happen their lifetime is limited.

> Q2: What does everyone else do regarding their openvpn certificates?

Me? I issue 10-year certificates, and have toolage and policies for
tracking which certificates are valid/revoked/etc, getting certificates
that need to be revoked, and getting the CRLs out to where they need to

Openvpn-users mailing list