I work on a Freescale i.mx28 and I use High Assurance Boot (HAB).
When creating certificates with the "hab4_pki_tree.sh" script, which is provided with the Code Signing Tool, I can enter a certificate validity duration of max. 20 years.
What happens after 20 year? Does the i.mx28 not boot anymore? Am I not able to sign software anymore? Or do I have to add new CSF and IMG certificates to sign software with them?
My questions are: Who checks the certificate duration and when? Which certificates have a limited duration (I assume the root-certificate has unlimited duration)?