Issue a certificate with indefinite validity

[isaac129]

Is it possible for a CA that has a limited validity period (eg, 20 years) to issue an end entity certificate that has indefinite validity (endDate of "99991231235959Z")?

I am looking to configure a CA to issue IDevID certificates that will have indefinite validity period. However, it seems that the issued certificates have the same validity as the issuing CA, despite the fact that i have set the validity of "9999-12-31 23:59:59+00:00" in the certificate profile for the IDevID end entities.

[primetomas]

No that is not possible. The certificate chain should still be possible to validate using standard path validation algorithms (i.e. as coded in most development libraries), which means all certificates in the chain must be valid ad time of validation.
Anything else that the whole chain having indefinite validity will only be usable by custom validation code, not complying with RFC5280 path validation algorithm. That would easily lead to terrible outcomes in 20 years when the issuing CA expires and developers forgot that that custom validation code was needed.

[isaac129]

The EJBCA tutorial below seems to suggest that it is possible to issue certificates with infinite validity:
https://docs.keyfactor.com/ejbca/8.3.2/tutorial-get-started-with-device-identities-based-

However, following the instructions on the page and the video tutorial still results in IDevID certificates with limited validity.

[primetomas]

Yeah that seems to be wrong in the tutorial. I'll make sure to get that sorted. Thanks for pointing that out.