SSL Certificate Validity: Parent vs Child

TL;DR

No, an SSL certificate (the ‘child’ certificate) cannot have a longer validity period than its issuing Certificate Authority (CA) certificate (the ‘parent’ certificate). The child certificate’s validity is always limited by the parent. If the parent expires, so does the child.

Understanding the X.509 Chain

SSL certificates aren’t issued in isolation. They rely on a chain of trust starting with a root CA and going through intermediate CAs to your specific certificate. This is called an X.509 chain.

• Root CA: The top-level authority, pre-trusted by browsers and operating systems.
• Intermediate CA: Issued by the Root CA, used to sign end-entity (your) certificates.
• End-Entity Certificate: Your SSL certificate, signed by an Intermediate CA.

Think of it like a family tree – your certificate is descended from the intermediate CA, which in turn descends from the root CA.

Why Child Certificates Can’t Outlive Parents

1. Trust: Browsers trust certificates based on this chain. If the parent (intermediate CA) expires, the browser can no longer verify the child certificate’s authenticity because it loses a crucial link in the trust chain.
2. Revocation: A CA can revoke a certificate if it’s compromised. Revocation information is tied to the CA; an expired CA means revocation checks become impossible for certificates it issued.
3. Security: Allowing child certificates to outlive their parents would create significant security risks, as compromised CAs could continue issuing valid-looking (but untrusted) certificates indefinitely.

Checking Certificate Validity

You can check the validity of your SSL certificate and its chain using several tools:

• OpenSSL: A command-line tool for working with SSL/TLS.

  openssl s_client -showcerts <yourdomain.com>:443

  This will display the certificate chain, including start and end dates for each certificate.

• Online SSL Checkers: Many websites offer free SSL checker tools (e.g., SSL Labs Server Test). These visually show you the chain and any issues with validity.
• Browser Developer Tools: Most browsers have developer tools that allow you to inspect the certificate details.

What Happens When a Parent Certificate Expires?

1. Warning Messages: Visitors to your website will likely see browser warnings indicating an untrusted connection.
2. Certificate Revocation: The child certificates become effectively invalid, even if their own expiry date hasn’t been reached.
3. Renewal Required: You need to renew the chain by obtaining a new certificate from your CA before the parent expires. This usually involves getting a new intermediate certificate or re-issuing your end-entity certificate with a new intermediate.

Practical Steps for Avoiding Issues

1. Monitor Expiry Dates: Regularly check the expiry dates of all certificates in your chain, especially the intermediate CA certificate. Set reminders well in advance (e.g., 30-60 days before expiration).
2. Automated Renewal: Use ACME clients like Certbot to automate SSL certificate renewal. These tools can often handle chain updates as well.
3. CA Notifications: Most CAs will send email notifications when certificates are nearing expiry. Ensure these emails are being received and monitored.