Blog Post

Core Infrastructure and Security Blog
4 MIN READ

One of the Ways of Planning Certificate Authority Lifecycle

Zoheb Shaikh's avatar
Zoheb Shaikh
Icon for Microsoft rankMicrosoft
May 26, 2020

Hello Everyone,

This blog is collabration between Zoheb Shaikh (Solution Engineer working with Microsoft Mission Critical team (SfMC)) and Shobhit Garg (Sr PFE). Today we would like to share some best practices around Certificate Authority Lifecycle. 

 

Recently, I wrote a post around having automated alerts for important Expiring Certificates and I received many questions around how optimize your Certificate Authority Lifecycle to ensure maximum validity for clients.

 

Before I go into more details allow me to share a customer scenario I encountered that will show us the importance of having an improved CA lifecycle.

 

The story goes like this:

One fine morning Mr. Customer reached out his/her TAM complaining that “One” of his applications stopped working because of “some” certificate issue.

 

After we checked we discovered that the certificate was expired. We tried to renew this certificate, but it failed because the issuing CA certificate expired as well.

 

After the attempt to renew the issuing CA certificate we also found that the Root CA certificate was expired as well.

 

A few hours passed and by the time we had figured out the above Root Cause “hundreds” of application owners and users started to shout that their applications were not working because of Certificate issues.

 

My customer had below CA characteristics: 

Role

Validity

Duration

Offline Root CA

3 years

1st June 2016 – 1st June 2019

Online Issuing CA

3 years

1st June 2016 – 1st June 2019

Client Certificates

3 years

Date of issue – 3 years or max validity till 1st June 2019

 

According to the above, all applications were dependent on certificates that were all “EXPIRED ON THE SAME DATE”.

 

This was a real nightmare for Mr. customer. However, here is what we did to resolve the problem: -

 

  • We renewed the Root CA
  • We renewed the Subordinate CA
  • We enrolled all Application certificates manually

 

This took some time, but all the issues were resolved following this approach.

 

Being part of the Microsoft Mission Critical Solution team, we always go above and beyond to support our customers. The first step is always to quickly resolve the reactive issue, then identify the Root Cause, and finally through our Proactive Delivery Methodology making sure this does not happen again.

 

In this case we helped our SMC customer identify the cause and gave all necessary recommendations to avoid any future certificate issues. Below are the reasons this issue occurred:

 

All Certificates expired on the Same Day:

Because none of the clients were able to get the full 3-year validity period Certificates expired in less than 3 years because they could not have a greater validity period than the CA itself.

Also, no alerts were configured for Client certificate expiry and a CA renewal process did not exist in the customer environment.   

 

In summary Mr. Customer did not plan an optimized CA lifecycle. Here is one of the ways an improved CA lifecycle should be: -

 

Role

Validity

Duration

Renewal

Offline Root CA

8 years

1st June 2016 – 1st June 2024

1st June 2020

Online Issuing CA

4 years

1st June 2016 – 1st June 2020

1st June 2018

Client Certificates

2 years

Date of issue – 2 years

Every 2 years

 

We proposed above approach to improve our customer’s CA lifecycle, which provided following benefits:

 

  1. Certificates issued by the “Issuing CA’s” always get the maximum possible validity.
  2. Certificates do not expire on the same day.
  3. CA certificates are renewed before the clients Certificate validity lifetime.
  4. Sub CA validity
    1. Should be double the max validity of the “issued certificates”
    2. Needs to be renewed before half of its lifetime to ensure client certificates get full 2 years validity
    3. The value can be obtained by running below commands & looking at the available certificate Templates validity:
                  Certutil -getreg CA\ValidityPeriodUnits
                  Certutil -getreg CA\ValidityPeriod”
  5.  Root CA Validity

    1. Should be double the max validity of the “Issuing CA Certificate”
    2. Needs to be renewed before half of its lifetime to ensure Issuing CA gets full 4 years validity
  1. Issued Certificates Validity
    1. To maintain a good Certificate Lifecycle these certificates, need to be renewed before there expiry
    2. Look at this post on Expiring Certificates to find out one of the ways you can get notified on Certificate expiries

 

 

As you can see in the above image we have a CA hierarchy such that Subordinate CA’s is half of the lifetime of the Root CA and the end User Certificates have validity not more than half of the Subordinate CA’s.

 

See above Image on how we ensured a good Lifecycle for CA’s & end certificates, with this approach we ensured that the End Client certificates, and Subordinate CA’s can get full lifecycle/Validity and there are no doomsday surprises.

 

Having said that as the title mentions this is “one of the ways of planning your CA Lifecycle” and there may be a need of a different lifecycle management in different situations.

 

Hope this helps, 

Zoheb & Shobhit

Updated Jan 19, 2023
Version 13.0
No CommentsBe the first to comment