MS-PRESS recommended design guidelines for multi-tier PKI systems for validity periods are along the lines of 8 years for the root 4 years for the "policy" 2 years for the "issuing" 1 year for the issued certificate This is ostensibly due to fears of brute force cracking of the private keys over the root key's validity period. Accompanied with this recommendation is one for key lengths of 4096 for the root 2048 for the policy 1024 for the issuing and for the issued. I have found the downside to this: Constant renewals every single year of either minor or major impact. While MS-AD pki client implementations seem to handle most of the (except for the root) resigning just fine, external implementation struggle with some details, such as "chaining up to the root" trusting (thereby only requiring them to trust the root cert) and such as trusting two different certs (for an issuing CA that gets resigned) but that have the same common name, hence loads of fun every 11 months or so. I am about to recommend a re implementation along these lines 80 years for the root, 4096bit key 35 years for the policy, 4096bit key 15 years for the issuing, ?bit key <=5 years for the issued certificates. Good idea? Bad Idea? Comments? Are all pki client implementation in the wild 4096bit compatible? Thanks in advance, Joe