Dear All,

I am new to PKI System and has tried to read many PKI papers but
still unclear about "Certificate Lifetime/Expiration", "Public/Private
Key LIfetime/Expiration" as the following:

1) How are they different between "Certificate Lifetime/Expiration"
and "Public/Private Key Lifetime/Expiration" ?

2) How can we check whether this Certificate is already expired ? In
information in the Certification itself ?

3) Then how can we check whether the public key (and its Private Key)
that we obtained has already expired ?

4) Where (and how) do we specify the lifetime of "public/private key"
: in CA Server who generate the keys ? Then if the organization allow
thier users to generate his/her public/private key, how we can control
the lifetime of the keys ?

5) If the document had a digital signature signed (correctly) BEFORE
its Certification expired ; when the Certification expired , how can
we (or what is the process that) verify that this document is valid ?

6) Compare the answer in (5) If the document had a digital signature
signed AFTER its Certification expired ; how can we (or what is the
process that) verify that this document is invalid ?

7) How long that we need to keep "Certificate and its public key"
after the "CERTIFICATE" expired in order that we still can verify the
previous documents and their Digital Signature that signed before the
expiration date ?

8) How long that we need to keep "Certificate and its public key"
after the "PUBLIC/PRIVATE KEY" expired in order that we still can
verify the previous documents and their Digital Signature that signed
before the expiration date ?

9) In the case that Public/Private key is already expired Do we need
to put its Certificate into CRL too ?

10) Is there any papers that can explain me about this topic ? Is
there any PKI FAQ that I can read or use as the reference ?

I hope that you can help and clarify these questions for me. Thank you
very much in advance

KInd Regards
Pearapon S.
pearapon@ksc.th.com