Key pair generationPublic key certificates contain a lifespan specification. The default lifespan for the NDS* tree CA's public key certificate is two years. The certificate lifespan can be set to expire in six months, one year, two years, five years, or in the year 2036. Public key certificates signed by the NDS tree CA take on the validity period of the CA's public key certificate. For externally signed public key certificates, the external CA determines the validity period (normally one year).
Public key certificates are assigned a limited validity period to limit the damage that might be caused by an undiscovered key compromise. For this reason, external CAs might prohibit the renewal of public key certificates they issue without changing keys.
It is unlikely that you will discover that your key has been compromised by an attacker if the attacker remains "passive." Relatively frequent key pair changes limit any potential damage from compromised private keys.
If you suspect that an attacker has your private key, discontinue using it (by deleting the Key Material object from the NDS tree). Then you will need to generate a new key pair and obtain a new public key certificate from the NDS tree CA or an external CA.
The life cycle of a key pair is as follows:
Key pair generation
Issuance of public key certificate by a CA
Key distribution: public key to public repository; private key to owner
Key pair activation
Use of the key pair
Public key certificate suspension, revocation, or expiration
Key pair termination
In certain instances, it might be sufficient to renew the public key certificate for an existing key pair. For example, if the CA offers a public key certificate lifespan that is shorter than what you want, you may want to renew the public key certificate for another time period. You should not renew a public key certificate if you suspect that your private key has been compromised. Rather, you should obtain a new key pair.
Generally, however, you should not renew a public key certificate without changing the key pair. This increases the risk of an undetected compromise and makes it difficult to uniquely associate a particular set of public key certificate attributes with a given digital signature.
It is important to understand the consequences of revoking a public key certificate, or allowing a public key certificate to expire. Local laws vary in this regard. Generally speaking, however, the expiration or revocation of a public key certificate does not automatically invalidate a digital signature. It does, however, make the process of proving the validity of such a signature (technical nonrepudiation) significantly more difficult. If you need to establish the legal validity of a digital signature after a public key certificate has expired or has been revoked, consult an attorney for advice.
Related Topics
Renew a Public Key Certificate
Understanding Public Key Certificates