I have an intuitive sense of how certificate lifetimes should work in a PKI infrastructure, but I don’t consider myself an expert in this field so I would like someone to validate or critique my assumptions:
The “leaves” on a PKI hierarchy are the certificates issued by a CA. The maximum lifetime of one such certificate is equivalent to:
renewal interval + renewal period = certificate lifetime (renew yearly, i.e. 1 yr) + (1-month renewal period) = 13 month lifetime
An intermediate/issuing CA’s cert’s lifetime follows the same pattern, plus the maximum lifetime of a cert it can issue:
renewal interval + renewal period + child lifetime = certificate lifetime 2 years + 1 month + 13 months = 3 year, 2 month lifetime
The last step “recurses” up the PKI hierarchy through any more intermediate CA tiers until you get to the root cert.
This means, necessarily, a CA’s cert must always have a lifetime longer than the certs it issues.
Context: Apple’s Announcement about 13-month maximum cert lifetimes starting September 1st 2020 must therefore only apply to leaf certs, and not to certs issued to intermediate or root CAs.