Assumptions
- The SCMS instance created for the CV Pilots shall be separate from the SCMS PoC instance
- The ICA and subordinate certificates shall expire on or before 12:00:00 UTC January 3, 2025
- Estimated project expiration of 00:00:00 UTC January 1, 2025 + 60 hours (due to 1609.2 time unit restrictions)
- No component certificates shall have a starting date after the end of the estimated project duration
- The private keys of all component certificates subordinate to the root shall be destroyed at the end of the estimated project duration
- The root certificate shall have an expiration of 70 years and an in-use lifetime of 20 years to support possible future activities
- All components subordinate to the ICA have an in-use lifetime that is sufficiently short and requires at least one rollover (renewal) event during the estimated project duration
- PKI hierarchy:
- The ICA, policy generator, CRL generator and MA certificates shall be issued directly by the Root CA
- The subtree below ICA is identical to that of the POC, i.e., it has one instance of all components: ECA, PCA, DCM, RA, and LA
- Leap seconds declared after 00:00:00 UTC 1/1/2017 are not considered
Certificate Lifetime Overview
Definitions of available 1609.2 units of time used by certificates can be found in IEEE Std 1609.2-2016, Sections 6.4.14, 6.4.15 and 6.4.16. Note that the "years" duration is defined as a specific number of seconds.
The following tables provide the certificate expiration and renewal periods to be used for the CV pilot, Production instance deployment.
Certificate Generation | Start (1609.2 Time32) | Duration (1609.2 units) | Duration (TAI seconds) | Expiration (1609.2 Time32) | Start (UTC) | Expiration (UTC) | Notes | |
|---|---|---|---|---|---|---|---|---|
| Root CA Certificate | ||||||||
| 385,689,600 | 70 | years | 2,208,986,640 | 2,594,676,240 | 23:59:55 March 21, 2016 (Monday) | 23:23:55 March 21, 2086 (Thursday) | ISS - Reference only | |
| ICA Certificate | ||||||||
| 410,313,605 | 1169 | sixtyHours | 252,504,000 | 662,817,605 | 00:00:00 January 1, 2017 (Sunday) | 12:00:00 January 1, 2025 (Wednesday) | ||
| ECA Certificates | ||||||||
| 1 | 428,630,405 | 1084 | sixtyHours | 234,144,000 | 662,774,405 | 00:00:00 August 1, 2017 (Tuesday) | 00:00:00 January 1, 2025 (Wednesday) | |
| 2 | 523,324,805 | 38736 | hours | 139,449,600 | 662,774,405 | 00:00:00 August 1, 2020 (Saturday) | 00:00:00 January 1, 2025 (Wednesday) | Reduced Lifetime |
| PCA Certificates | ||||||||
| 1 | 428,662,805 | 35281 | hours | 127,011,600 | 555,674,405 | 09:00:00 August 1, 2017 (Tuesday) | 10:00:00 August 10, 2021 (Tuesday) | |
| 2 | 460,112,405 | 35113 | hours | 126,406,800 | 586,519,205 | 09:00:00 July 31, 2018 (Tuesday) | 10:00:00 August 2, 2022 (Tuesday) | |
| 3 | 491,562,005 | 35113 | hours | 126,406,800 | 617,968,805 | 09:00:00 July 30, 2019 (Tuesday) | 10:00:00 August 1, 2023 (Tuesday) | |
| 4 | 523,011,605 | 35113 | hours | 126,406,800 | 649,418,405 | 09:00:00 July 28, 2020 (Tuesday) | 10:00:00 July 30, 2024 (Tuesday) | |
| 5 | 554,461,205 | 30099 | hours | 108,356,400 | 662,817,605 | 09:00:00 July 27, 2021 (Tuesday) | 12:00:00 January 1, 2025 (Wednesday) | Reduced Lifetime |
| 6 | 585,910,805 | 21363 | hours | 76,906,800 | 662,817,605 | 09:00:00 July 26, 2022 (Tuesday) | 12:00:00 January 1, 2025 (Wednesday) | Reduced Lifetime |
| 7 | 617,965,205 | 12459 | hours | 44,852,400 | 662,817,605 | 09:00:00 August 1, 2023 (Tuesday) | 12:00:00 January 1, 2025 (Wednesday) | Reduced Lifetime |
| 8 | 649,414,805 | 3723 | hours | 13,402,800 | 662,817,605 | 09:00:00 July 30, 2024 (Tuesday) | 12:00:00 January 1, 2025 (Wednesday) | Reduced Lifetime |
| RA, LA, DCM Certificates | ||||||||
| 1 | 428,630,405 | 26472 | hours | 95,299,200 | 523,929,605 | 00:00:00 August 1, 2017 (Tuesday) | 00:00:00 August 8, 2020 (Saturday) | Leap Day |
| 2 | 523,324,805 | 26448 | hours | 95,212,800 | 618,537,605 | 00:00:00 August 1, 2020 (Saturday) | 00:00:00 August 8, 2023 (Tuesday) | |
| 3 | 617,932,805 | 12456 | hours | 44,841,600 | 662,774,405 | 00:00:00 August 1, 2023 (Tuesday) | 00:00:00 January 1, 2025 (Wednesday) | Reduced Lifetime |
| Certificate Type | Issuing CA | Expiration | In Use | Request for Renewal | Start of Validity for Renewal | Number of Concurrently Valid Certificates (In-Use [+ Legacy]) | Example Size in Bytes (Certs are Not Fixed Size) | Notes |
|---|---|---|---|---|---|---|---|---|
OBE Enrollment | ECA | Variable | Same as expiration | N/A | N/A | 1 | 87 | All OBE enrollment certificates shall be issued with an expiration on or before 12:00:00 UTC January 3, 2025 regardless of the date they are issued |
OBE Pseudonym | PCA | 1 week + 1 hour | 1 week | Anytime | 1 week | 20 + 20 (for just 1 hour) | 91 | |
OBE Identification | PCA | 1 month + 1 hour | 1 month | Anytime | 1 month | 1 + 1 (for just 1 hour) | 89 | |
RSE Enrollment | ECA | Variable | Same as expiration | N/A | N/A | 1 | 109 | All RSE enrollment certificates shall be issued with an expiration on or before 12:00:00 UTC January 3, 2025 regardless of the date they are issued |
RSE Application | PCA | 1 week + 1 hour | 1 week | Anytime | 1 week | 1 + 1 (for just 1 hour) |
| |
Elector | Self | 12 years | 12 years | 3 months before end of In-use | 12 years | 3 (1 per elector) | 166 | The initial elector certificates have an expiration and "in use" time of 4, 8 and 12 years, respectively |
Renewal/Rollover Requirements
Expiration, In-use, and Overlap Requirements
Overview Diagrams
The following diagrams illustrate the expiration period of various certificate types. The diagrams show the specific duration of the certificate (valid from and to dates) only and do not account for setup time (request generation, signing ceremony, distribution, etc.). Each section shows the life of a single instance of a component under typical (non-compromised) conditions. If multiple instances exist, they would follow a similar pattern but the specific dates may be shifted within the validity period. Lifetimes may be adjusted in the future to account for leap seconds, rounding requirements or operational requirements.
