Hi Everyone,
Our PKI is 3 tier with offline root and subordinate tiers and an online issuing tier.
The root CA certificate has a 20 year validity, the subordinate CA certificates have 10 year validity and the issuing tier 5 year.
The 5 year validity of the issuing CA certs allow us to issue certificates up to 3 years validity, provided that we renew the issuing CA certficates every 2 years.
Things have hummed along smoothly but now there is future requirement to have the capability of issuing certificates of up to 5 year validity.
I'm after advice on how best to reconfigure the PKI to handle this. Would I need to reconfigure all the tiers to say root 30, subordinates 15 and issuing 7 years to accommodate this?
Are there any gotchas to keeping the root at 20, and subordinate at 10, but having one of the issuing at 7 years? In most of the examples I've seen each tier is half the validity period of its parent.
Advice appreciated.