Is this a valid equation for determining certificate lifetimes in a PKI infrastructure?

I have an intuitive sense of how certificate lifetimes should work in a PKI infrastructure, but I don’t consider myself an expert in this field so I would like someone to validate or critique my assumptions:

The “leaves” on a PKI hierarchy are the certificates issued by a CA. The maximum lifetime of one such certificate is equivalent to:

renewal interval          + renewal period           = certificate lifetime (renew yearly, i.e. 1 yr) + (1-month renewal period) = 13 month lifetime 

An intermediate/issuing CA’s cert’s lifetime follows the same pattern, plus the maximum lifetime of a cert it can issue:

renewal interval + renewal period + child lifetime = certificate lifetime 2 years          + 1 month        + 13 months      = 3 year, 2 month lifetime 

The last step “recurses” up the PKI hierarchy through any more intermediate CA tiers until you get to the root cert.

This means, necessarily, a CA’s cert must always have a lifetime longer than the certs it issues.


Context: Apple’s Announcement about 13-month maximum cert lifetimes starting September 1st 2020 must therefore only apply to leaf certs, and not to certs issued to intermediate or root CAs.