I'm working on just-in-time-provisioning of our IoT devices with AWS IoT Core. I'm following this AWS article and everything is working fine. One thing I'm unsure of is expiration dates for the CA and device cert. It makes sense to me to make the expiration dates far in the future so that I don't run into any expiration issues. So, I'm setting the expiration to 10 years out for both the CA and device cert. Does this conform with best practices?
I've read that a CA's expiration can be 10-20 years out. But, I've only seen examples of device certs expiring 90 days to 1 year out. Having our device certs expire so soon seems like it could be a lot of work to update in the near future. Thoughts?
In theory, you can introduce your custom CA and create your own certificates with longer lifetime, but creating that kind of certificates would not be a secure way to do it. In order to give longliving certificates you should build some kind of mechanism to renew your certificate.