1
00:00:07,460 --> 00:00:16,700
The CIA also has its own certificate I would issues a certificate for itself a self signed certificate

2
00:00:17,090 --> 00:00:27,300
while subordinate seize and get their certificates from a rootsy every C certificate has a validity

3
00:00:27,300 --> 00:00:31,610
period usually when deployed in a rootsy idea.

4
00:00:31,620 --> 00:00:41,070
Administrators choose to sell their validity period of the route C certificate for five years or more.

5
00:00:41,250 --> 00:00:48,330
You need to run the USC certificate when the validity period is close to the expiration date.

6
00:00:48,490 --> 00:00:53,680
SCA will there was an expired certificate cannot work.

7
00:00:53,730 --> 00:00:58,860
Therefore you should not let the C certificate expire.

8
00:00:58,860 --> 00:01:07,730
The validity period over the C certificate also is important for the certificates that the C issue of

9
00:01:08,410 --> 00:01:17,130
SCA will never issue a certificate that has a longer validity time than its own certificate.

10
00:01:17,130 --> 00:01:25,450
This is useful if you choose not to renew their C in the event that you want to decommission it.

11
00:01:25,620 --> 00:01:34,290
For example when they see a certificate reaches the amount of its lifetime all of the certificates that

12
00:01:34,300 --> 00:01:44,050
the now expired C has issued can no longer be used as well its security credentials this can have a

13
00:01:44,050 --> 00:01:50,990
side effect when the C certificate lifetime comes close to expiration.

14
00:01:51,010 --> 00:01:56,850
It will start to reduce the lifetime of certificates that it issues.

15
00:01:56,950 --> 00:02:06,630
For example assume that you issuance C has a certificate certificate with five years of validity time

16
00:02:06,960 --> 00:02:14,970
and it issued certificates with a two year lifetime for the first three years of its lifetime.

17
00:02:14,970 --> 00:02:23,730
No problems will arise however after three years of this he will issue certificates with less than a

18
00:02:23,730 --> 00:02:26,790
two year validity period.

19
00:02:26,790 --> 00:02:30,790
Now some words about renewing rootsy certificates.

20
00:02:31,780 --> 00:02:39,670
I would say usually has a certificate with a long validity period unlike a subordinate to it which by

21
00:02:39,670 --> 00:02:42,740
default held a five year related to time.

22
00:02:42,790 --> 00:02:50,800
You can set a March longer validity a time for a root C certificate during start up.

23
00:02:50,860 --> 00:02:58,850
You should also select a longer key lands for the route C public and private key pairs.

24
00:02:58,960 --> 00:03:07,840
If you use a long queue lands which makes the key more secure against brute force attack you increase

25
00:03:08,050 --> 00:03:13,300
the length of time that the CIA can use the same private key.

26
00:03:13,300 --> 00:03:22,150
In general greater rootsy that has a shorter validity period than the estimated lifetime or the key

27
00:03:23,460 --> 00:03:31,450
with this in mind a reasonable strategy is to create a forty nine to six bid.

28
00:03:31,750 --> 00:03:39,680
RSA key during route C is set up which reduces the need for frequent renewal.

29
00:03:39,790 --> 00:03:49,030
Given the current state of computer technology Ford is 96 bit private keys secure from a brute force

30
00:03:49,030 --> 00:03:52,930
attack for an estimated 15 20 years.

31
00:03:53,320 --> 00:04:01,150
If you choose therefore to 96 bit key during the rootsy setup you then can create a root certificate

32
00:04:01,150 --> 00:04:09,680
by using the forty nine to six build key that is valid for five years afterward you should renew their

33
00:04:09,680 --> 00:04:13,130
C certificate every four years.

34
00:04:13,300 --> 00:04:20,470
One year before the expiration of the validity period each time with a certificate validity of five

35
00:04:20,470 --> 00:04:23,470
years every time you renew.

36
00:04:23,470 --> 00:04:25,120
This is difficult.

37
00:04:25,180 --> 00:04:34,060
It is recommended that you assess whether the same key given current computer technology and other security

38
00:04:34,060 --> 00:04:42,020
considerations can be used with confidence for the next five years.

39
00:04:42,130 --> 00:04:49,510
Now for a subordinate say that issue certificates to end user and devices.

40
00:04:49,510 --> 00:04:52,140
It is a recommended strategy.

41
00:04:54,880 --> 00:05:04,090
Might be to renew the C certificate regular rate with a new key six to twelve months before the out

42
00:05:04,090 --> 00:05:06,670
of the C validity period.

43
00:05:06,670 --> 00:05:16,030
This makes an attack on any one key less well able because any a compromised key would have a relatively

44
00:05:16,030 --> 00:05:17,880
limited lifetime.

45
00:05:17,950 --> 00:05:24,690
Zero management is another advantage of renewing a subordinate C by using a new key.

46
00:05:24,790 --> 00:05:33,400
When do you ring USC with a new kid begins to publish a separate CRL for the revoked certificates it

47
00:05:33,400 --> 00:05:41,100
has issued this year continues to publish their serial for certificates signed with the old key.

48
00:05:41,110 --> 00:05:48,910
As long as the validity period of these certificates is well it however this can reduce the size of

49
00:05:48,910 --> 00:05:58,060
a single CRL greatly and it will reduce the size of the CRL that the certificate where a fire has to

50
00:05:58,060 --> 00:05:59,500
download.

51
00:05:59,500 --> 00:06:07,870
When presented with a certificate from an issue and c you can complete the procedure for C certificate

52
00:06:07,870 --> 00:06:12,340
renewal from the certification authority council.

53
00:06:12,550 --> 00:06:18,240
You must stop I see a service before starting the renewal procedure.

54
00:06:18,490 --> 00:06:25,850
When you start the procedure to renew or see a certificate from the certification authority council.

55
00:06:25,950 --> 00:06:34,830
You will have to choose if you want to generate and UK asset or reuse the existing one.

56
00:06:38,240 --> 00:06:47,600
For subordinate sees you you must submit a renewal request to the parent to see similar to when you

57
00:06:47,630 --> 00:06:52,410
first issued the certificate so that's it for this lesson.

58
00:06:52,410 --> 00:06:57,730
Next up will be talking about moving a a year to another computer.

59
00:06:57,780 --> 00:06:58,770
I'll see you there.