Hi, > I do have a question about the maximum validity. > As I understand, the CA validity has to be longer or the same as the > configured validity in the used profile (which currently is +01, which is 1 > year as i understand) > Now my CAs are valid for 1 year, and have a bit of overlap. > > Issuing certificates of this Realm > Subject not before not after > CN=Factory CA,OU=Hyva,O=Sioux,ST=Noord Brabant,C=NL 2022-11-14 00:00:00 UTC > 2023-11-14 00:00:00 UTC > CN=Factory CA,OU=Hyva,O=Sioux,ST=Noord Brabant,C=NL 2021-12-09 09:23:55 UTC > 2022-12-09 09:23:55 UTC > > But I am still getting the same error. > Does this mean that the overlap of certificate validity has to be at least > the duration of the issued certificate? > (so that there is always 1 CA that is valid for the full duration of the > requested certificate) > > Sorry if this more a generic CA related question instead of an openxpki one.
We are leaving OpenXPKI grounds here... As mentioned in the previous mail you need to design your PKI properly, in this particular case with regard to the CA validities. This means that you need to align the CA validity with the maximum required end entity validity. Make sure to provide CA certificates which have a sensible/usable usage period in which they are fully capable of issuing the maximum required subordinate certificate validity. Also make sure to design (and test) the CA rollover process properly. When I design a PKI I typically recommend CA Validity := 2 * (maximum required subordinate validity) + some slack value Cheers Martin _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
