"MS-PRESS recommended design guidelines for multi-tier PKI systems for validity periods are along the lines of
8 years for the root 4 years for the "policy" 2 years for the "issuing" 1 year for the issued certificate" Don't forget that Microsoft would like you to buy their OS once every five years or so, not every 80 years. 4 tiers is a bit much; three would work fine in most organizations. IMHO 10/5/3/1 is OK, 10/5/2 for three tier. Issuing certs to clients can be automated via GPO and zero client downtime. It is the renewal upstream to the root CAs by the subordinates which can casue issues and downtimes if not properly managed. Edward Ray
