On Wed, Mar 03, 2021 at 12:34:19AM -0500, Phillip Hallam-Baker wrote: > The practical limit on certificate lifespan is 48 hours renewed every 24 > unless you have a means of reliably getting trusted time into the client. For server certificates five days is fine. For clients you want something akin to Kerberos. Typical Kerberos installations issue 10 hour TGTs that are renewable (note: Kerberos sense of renewal) for a few days, and after that the user has to type in their password or do whatever MFA dance. > I have been trying to find info on SSH user certs on and off for quite a > while. Seems like an under-documented feature... They solve a big problem > for me :-) Honestly, they're not that interesting to me because of the limited hierarchy they have. I'd rather it were PKIX certs. But at least they got something right: subject naming, which they call principal names, and which are just strings, freeform strings. That means that if you are migrating from some other system, you can keep that other system's naming.
