For some applications like signing software, we need to disable validity check. the case here is, the boot software is going to have trusted root ca cert. And this will be used to verify application binary.
Also, it is difficult to re-install the boot code on site after expiry of root-cert(basically new root-ca with new boot code.). As this given boot code will be verified for integrity by the hardware. Any modification on Boot code would simply stop the device from booting normally would not boot.
Thinking of disabling validity check.
THe question is
- Is it advisable to disable data/time validation?
- Alternatively, we can have public key(instead of root-ca) as part of boot code?
2.a. The problem I am seeing here is, the we need to backup the private key in secure manner - is there any recommended way?
If we opt for PKI, it is handled by 3rd party vendor, So I don’t worry about backups. If we use public key & privvate key directly, we need to handle the backup process. Need your suggestion.