Page 1 of 1

What is the valid time frame for a certificate ?

Posted: 18 Mar 2011, 15:32
by Support Team
The shorter a certificate is valid, the more secure it will be.

The certificates have a start and end time (UTC) defining the time span where they are validated positively by OpenSSL. Of course a certificate can in theory be hacked, the time depends on the power of the hacking tool and the CPU speed where it is running. Today 1024 bit keys can be hacked within weeks by powerful CPUs. Using 2048 or 4096 keys will make it harder, or better said increase the duration until they are hacked.

Now, if certificates are renewed early, the hacker must start all over again. Hence, for security reasons a certificate should not be valid for more than a year or even shorter. By the way, this is not an OPC UA issue, it is a general problem for all certificates, passwords and other keys or signatures. You should change them "before" the hacker has a chance to hack them, hence a certificate using a relatively weak 1024 bit key should be changed every week, a stronger 4096 key may survive a year.

OPC UA provides mechanisms to renew and recreate security information for connection establishment even during operation (e.g. renewing Securechannel).