7

What is the length of the longest certificate chain till date?

I want to know the number of certificate authorities in that chain and not the size of the certificate chain.

d_geeks
  • 81
  • 1
  • 4

2 Answers2

7

There is no such limit defined. However, you should create chains as short as possible. In practice, it is no more than 3 CA levels (where 4th is leaf end entity certificate).

This is because applications (it is very application specific) may apply restrictions in chain size in bytes. And more important, long chain building and validation may result in chaining engine timeout. For example, in Windows operating systems, chain building and validation timeout is 15 seconds. If you have long chain, you can easily reach this value and get certificate trust error even if final chain is valid.

worth to mention that long chains increase administrative and management overhead. Depending on your needs, I would suggest to go with 2- or 3-tier hierarchy.

Crypt32
  • 12,850
  • 2
  • 41
  • 70
-2

Unfortunately such question makes not much sense, because you can build as long chain as you want. Some CAs issue several "levels" of CA certificate, often with very different issuer names, so you can't always say that this is the same CA (though it is).

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
  • 5
    I was looking for the answer of this to keep in validation while making GUI for SSL. why do you think it doesn't make sense? – Amit Shah May 31 '17 at 06:28