0

I'm connecting to a server via TLS. My device has installed server cert, device cert, private key and public key.

I read here validity SSL/TLS that TLS cert will last max 2 years.

This means that every 2 years I will have to updat all the certs stored into my device? Only server cert and device cert? Do I have to update also public and private key?

Die Go
  • 21
  • 1

2 Answers2

1

Given your previous question it looks like you are talking about an IoT environment, i.e. IoT devices which communicate with a server via mutual TLS. In this environment you very likely don't use certificates issued by a public CA but instead use a private CA.

The limit of 2 years you mention is only enforced by public CA. If you run your own CA and have full control over the communication peers you can use any validation time you want, also longer than two years. Still, it is not recommended to use a certificate forever since attacks against the used algorithms improve with the time and also the chance of a compromised private key increases.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
0

Check the "Issuer" field of that "server certificate" of 2 years validitiy, it shows you whether certificate is signed with another one: intermediate certificate, and root certificate at the very top. Usually, a chain of trust looks like the following:

CA root cert -> Intermediate cert -> Server cert

but it may be different in your particular case.

The root certificate has the longest validity from all, up to 20 years and more. Install whether intermediate certificate as a root of trust on your device for longer TLS validity period, or root certificate for the longest period.

Alexander Fadeev
  • 1,244
  • 4
  • 10