Certification body key size and period of validity

Key size and period of validity of a root CA.

Anyone who is involved in building a PKI and the validity period of a root CA should consider the following.

Key lengths used by 2048 Bit based on the SHA-2 CNG hash algorithm, should not be longer than 32 months to be valid.
Key lengths used by 4096 Bit based on the SHA-2 CNG hash algorithm, should not be longer than 16 years to be valid.

If the root CA is to remain for 12 years, the key length should be 4096 bits.

The RootCA - CAPolicy.inf could look like this for 12 years:

[Certsrv_server]
RenewalKeyLength = 4096
RenewalValidityPeriod = Years
RenewalValidityPeriodUnits = 12
CNGHashAlgorithm = SHA512
AlternateSignatureAlgorithm = 0

The Issuing - CAPolicy.inf could look like this for 6 years:

[Certsrv_server]
RenewalKeyLength = 4096
RenewalValidityPeriod = Years
RenewalValidityPeriodUnits = 6
CNGHashAlgorithm = SHA512
AlternateSignatureAlgorithm = 0

Anyone who uses the AlternateSignatureAlgorithm = 1 should know that if the signature hash algorithm has been configured from SHA384RSA, the signature algorithm changes to the new RSASSA-PSS format. Please always check your environment for compatibility with RSASSA-PSS.

RSASSA-PSS

Renew root CA and sub CA certificate