# Validity Period Controls

**Validity controls** define how long a certificate or Certificate Authority (CA) remains valid before it must be renewed or replaced. CertiNext applies validity controls differently for **publicly trusted CAs** and **private CAs**, reflecting the distinct governance models and compliance requirements that apply to each trust domain.

This separation ensures that public trust certificates remain compliant with global browser standards, while private PKI deployments retain the flexibility required for internal and machine identity use cases.

#### Validity Controls for Public Certificate Authorities

For **publicly trusted CAs**, certificate validity is **not configurable by the customer** within CertiNext.

Public certificate lifetimes are strictly governed by:

* **CA/Browser Forum Baseline Requirements**
* Browser and operating system root store policies
* CA-specific public trust rules

As a result:

* Maximum certificate validity is enforced by the issuing public CA
* Validity options exposed in CertiNext align with what the public CA allows
* Customers cannot extend certificate lifetimes beyond permitted limits

CertiNext enforces these rules automatically to ensure continued browser trust, compliance, and interoperability.

#### Validity Controls for Private Certificate Authorities

For **private CAs**, certificate validity is **fully configurable within CertiNext**, as shown in the Private CA creation workflow.

When creating a private CA or subordinate CA, administrators can define:

* **Validity duration**
* **Validity unit** (Years, Months, or Days)
* Purpose of the CA (Issuing CA or End-Entity)

<figure><img src="/files/58YC6TgMBwwI587EfFqR" alt=""><figcaption></figcaption></figure>

This flexibility allows organizations to:

* Design long-lived root CAs for internal trust
* Configure shorter-lived issuing or end-entity CAs
* Align certificate lifetimes with security, operational, or compliance requirements
* Support short-lived certificates for Zero Trust and automation-driven environments

These controls apply to **emCA-based private PKI deployments** managed within CertiNext.

***

#### emCA vs Microsoft PKI – Hierarchy Support

CertiNext supports **building and managing private CA hierarchies only with emCA**.

Key distinctions:

* **emCA**\
  CertiNext supports full private PKI hierarchy creation, including root CAs, subordinate CAs, and issuing CAs, with configurable validity at each level.
* **Microsoft Active Directory Certificate Services (AD CS)**\
  CertiNext integrates with Microsoft PKI for lifecycle management and visibility but **does not support creating or modifying private CA hierarchies**. Hierarchy design, validity, and CA structure for AD CS remain managed natively within Microsoft.

This ensures CertiNext respects platform boundaries while providing deep PKI lifecycle capabilities where supported.

***

#### Why Validity Controls Matter

Properly configured validity controls help organizations:

* Reduce risk exposure from long-lived certificates
* Enforce cryptographic and lifecycle policies
* Align with Zero Trust and automation-first architectures
* Maintain compliance across public and private trust domains

***

#### Summary

CertiNext enforces certificate validity based on **trust context**:

* **Public CA validity** is dictated by CA/Browser Forum and root store requirements and enforced automatically
* **Private CA validity** is configurable within CertiNext for emCA-based hierarchies
* **Microsoft PKI** is supported for lifecycle operations but not for hierarchy or validity design

This model ensures strong compliance for public trust while preserving flexibility and control for private PKI deployments.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.certinext.io/documentation/policies-governance-and-compliance/validity-period-controls.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.