Hello,
We have the situation where our products run for a very long time (>15 years) without service or software upgrades. Starting to get into the certificate world the lifetime of certificates seems to be a potential problem in the long lifetime of our products. If a certificate lifetime is exceeded at a customer installation, do we need to renew the certificate manually or can this be achieved automatically somehow? Our systems are isolated from internet and the certificates of server and client are delivered with the system.
Best regards
Jonas
Certificate Lifetimes
Moderator: uasdknet
-
Support Team
- Hero Member
- Posts: 3072
- Joined: 18 Mar 2011, 15:09
Re: Certificate Lifetimes
Jonas,
in every security environment (no matter which one) the livetime of the "secret" is essential for the level of security. That is the reason why you should change e.g. your Windows LogonPWD at least all 3 month plus you should make it hard to guess by using numbers characters and upper and lowe case. Same with the certificates they should use long keys plus they expire after a while, so that a potential hacker needs to start all over again when you have replaced with new certificates after a year or so.
The use case of having a device that should be "secured" but also should never replace the "secret" over a period of 15 or more years is contradictorily. For a device there should always exist a mechanism to renew the certificate. And this new secret should be created by the customer of the device, or by the device itself, but not by the vendor of the device (because he would be in the possesion of the secret then). In "long running" scenarios you could either use long liftime of certificate or the consumer of the data may "accept" also an expired certificate from your device (because "expired" does not necessarily mean that it was "hacked"). The third and probably the most advanced solution is that the certificate can be "renewed" by using an OPC UA function. Some central server (lets call it GlobalDirectoryServer) can push or pull certificates into the device. This GDS may exist in your subnet and will manage the security for all the UA devices.
The GDS functionality is already specified by the OPC Foundation, prototypes are already implemented. Anyway, your device should support being "updated" by some GDS.
Best Regards
Support Team
in every security environment (no matter which one) the livetime of the "secret" is essential for the level of security. That is the reason why you should change e.g. your Windows LogonPWD at least all 3 month plus you should make it hard to guess by using numbers characters and upper and lowe case. Same with the certificates they should use long keys plus they expire after a while, so that a potential hacker needs to start all over again when you have replaced with new certificates after a year or so.
The use case of having a device that should be "secured" but also should never replace the "secret" over a period of 15 or more years is contradictorily. For a device there should always exist a mechanism to renew the certificate. And this new secret should be created by the customer of the device, or by the device itself, but not by the vendor of the device (because he would be in the possesion of the secret then). In "long running" scenarios you could either use long liftime of certificate or the consumer of the data may "accept" also an expired certificate from your device (because "expired" does not necessarily mean that it was "hacked"). The third and probably the most advanced solution is that the certificate can be "renewed" by using an OPC UA function. Some central server (lets call it GlobalDirectoryServer) can push or pull certificates into the device. This GDS may exist in your subnet and will manage the security for all the UA devices.
The GDS functionality is already specified by the OPC Foundation, prototypes are already implemented. Anyway, your device should support being "updated" by some GDS.
Best Regards
Support Team
-
JonLor
- Hero Member
- Posts: 48
- Joined: 30 Jan 2014, 11:05
Re: Certificate Lifetimes
Thank you for the informative answer!
We do not consider our target product to be security critical but are considering to add certificate handling to at least provide some basic protection of the system. For us, a certificate with a long lifetime sounds like the most appealing solution.
Are there any limits on the lifetime of a certificate? We will use a self signed certificate.
Best regards
Jonas
We do not consider our target product to be security critical but are considering to add certificate handling to at least provide some basic protection of the system. For us, a certificate with a long lifetime sounds like the most appealing solution.
Are there any limits on the lifetime of a certificate? We will use a self signed certificate.
Best regards
Jonas
-
Support Team
- Hero Member
- Posts: 3072
- Joined: 18 Mar 2011, 15:09
Re: Certificate Lifetimes
Hello,
For generating certificates we are using openssl. So the limitation for the lifetime is a limitation of openssl. With the currently used version of openssl it is possible to create certificates with lifetimes of more than 100 years.
Best regards
Support Team
For generating certificates we are using openssl. So the limitation for the lifetime is a limitation of openssl. With the currently used version of openssl it is possible to create certificates with lifetimes of more than 100 years.
Best regards
Support Team