I've been meaning to write about an interesting question that was sent in by a listener of the Security Now! podcast a while ago. In episode #222 "Jason M. from San Diego" commented about how Steve had suggested previously that using key lengths of 1024 bits used for web server security was justifiable because they typically expire in three years anyway. Well, the certificate authority's signing certificate may expire in three years, but that doesn't cause the server's key pair to expire. See the transcript for a thorough discussion by Steve and Leo.
Until listening to this episode, I'd always generated a key pair with OpenSSL once, then locked it down with mode 400 permissions and forgotten about it. When the certificate authority notified me of an approaching expiration date, I'd just renew and receive a new certificate using the original certificate signing request. It would be better to generate a new key pair each year, rather than have the CA reuse the old CSR.
I love Security Now! Most of the topics they talk about are fairly obvious, or about things I've already dealt with. Some conversations though are total revelations, and that's why I stay tuned. I can't recommend it strongly enough for people in the business, and normal people too. ;)