Validity Period Controls

Validity controls define how long a certificate or Certificate Authority (CA) remains valid before it must be renewed or replaced. CertiNext applies validity controls differently for publicly trusted CAs and private CAs, reflecting the distinct governance models and compliance requirements that apply to each trust domain.

This separation ensures that public trust certificates remain compliant with global browser standards, while private PKI deployments retain the flexibility required for internal and machine identity use cases.

Validity Controls for Public Certificate Authorities

For publicly trusted CAs, certificate validity is not configurable by the customer within CertiNext.

Public certificate lifetimes are strictly governed by:

• CA/Browser Forum Baseline Requirements

• Browser and operating system root store policies

• CA-specific public trust rules

As a result:

• Maximum certificate validity is enforced by the issuing public CA

• Validity options exposed in CertiNext align with what the public CA allows

• Customers cannot extend certificate lifetimes beyond permitted limits

CertiNext enforces these rules automatically to ensure continued browser trust, compliance, and interoperability.

Validity Controls for Private Certificate Authorities

For private CAs, certificate validity is fully configurable within CertiNext, as shown in the Private CA creation workflow.

When creating a private CA or subordinate CA, administrators can define:

• Validity duration

• Validity unit (Years, Months, or Days)

• Purpose of the CA (Issuing CA or End-Entity)

This flexibility allows organizations to:

• Design long-lived root CAs for internal trust

• Configure shorter-lived issuing or end-entity CAs

• Align certificate lifetimes with security, operational, or compliance requirements

• Support short-lived certificates for Zero Trust and automation-driven environments

These controls apply to emCA-based private PKI deployments managed within CertiNext.

emCA vs Microsoft PKI – Hierarchy Support

CertiNext supports building and managing private CA hierarchies only with emCA.

Key distinctions:

• emCA CertiNext supports full private PKI hierarchy creation, including root CAs, subordinate CAs, and issuing CAs, with configurable validity at each level.

• Microsoft Active Directory Certificate Services (AD CS) CertiNext integrates with Microsoft PKI for lifecycle management and visibility but does not support creating or modifying private CA hierarchies. Hierarchy design, validity, and CA structure for AD CS remain managed natively within Microsoft.

This ensures CertiNext respects platform boundaries while providing deep PKI lifecycle capabilities where supported.

Why Validity Controls Matter

Properly configured validity controls help organizations:

• Reduce risk exposure from long-lived certificates

• Enforce cryptographic and lifecycle policies

• Align with Zero Trust and automation-first architectures

• Maintain compliance across public and private trust domains

Summary

CertiNext enforces certificate validity based on trust context:

• Public CA validity is dictated by CA/Browser Forum and root store requirements and enforced automatically

• Private CA validity is configurable within CertiNext for emCA-based hierarchies

• Microsoft PKI is supported for lifecycle operations but not for hierarchy or validity design

This model ensures strong compliance for public trust while preserving flexibility and control for private PKI deployments.