From today until March 15, 2026, the maximum lifetime for a TLS certificate is 398 days.
As of March 15, 2026, the maximum lifetime for a TLS certificate will be 200 days.
As of March 15, 2027, the maximum lifetime for a TLS certificate will be 100 days.
As of March 15, 2029, the maximum lifetime for a TLS certificate will be 47 days.
What’s everyone’s opinion on this? I think from a security standpoint their reasoning is valid and in many cases it’s very easy to automate the renewal with ACME or something else. But there’s likely gonna be legacy stuff still around in 2029 that won’t be easy to automate.
This will be so much fun for people with legacy systems
Self signed certs about to get even more popular.
Tony Stark was able to build his CA in a cave! With a bunch of dice!
Self signed certs still have to abide. It’s the browser that checks it not the issuer. Now granted in most cases you already get a non trusted warning that most sysadmins skip…
The cert is what tells the browser how long it lasts, so I’m not sure how the browser can stop you from using a 10 year self signed cert or one from your own CA
If the browser sees it expires too far in the future, it could throw a warning or error.
I doubt any of them will actually do it, but it’s possible.
Most browsers do this for certs with a lifetime longer than 398 days issued after 2020, which is one aspect of why so many websites use a 1 year validity period for their certs.
Or just spin up a new one all the time?
Self signed certs still support longer time frames
If you need to expose a legacy system to the internet we have bigger issues
This way it will gradually ramp up the pain tho. If they went straight to 47 days, basically the entire internet would be gone for a few days.
Are compromised private keys that much of a problem in the real world to merit such a pain in the ass, heavy handed “solution”? On paper, sure, it makes sense. In practice, you’re forcing people to complicate the process by introducing, until now, unnecessary automation and introducing the possibility of brand new points of vulnerability.
I say this as someone who does maintain legacy systems (i.e. systems), so take it with a very angry, frazzled grain of salt. But I’ve done this for
yearsdecades and many, many systems and to my knowledge, I’ve never had a compromised private key.This just seems like people who constantly lose their house keys mandating that everyone else change their locks as often as they do.
are you sure this mandates always using a new private key? I think I have read that they don’t. how would you verify that anyway?
I can’t wait for the day when we have to refresh them hourly.
ephemeral single use certs when?
I think the main idea is to force automation
TLS? Noobs. All the cold kids just cleartext it.
If I understand this correctly, it only affects certificates issued by public CAs (certificates for public websites, for example). So for certs issued by a company CA (e.g. for internal infrastructure), it should not apply. Can anyone confirm?
The browser warning appears even for a cert issued by a non public CA you have told your browser to trust, and most browsers already enforce a 398 day limit, so unless you have cooperative users, you’re already (effectively) capped at 1 year of validity.
deleted by creator
True. Technically the bounds for the validity period are from Jan 1, 1950 to Dec 31, 9999.
My little corner of the business has started migrating our certs to let’s encrypt.
Hope it catches on else where
I am a little concerned about the fact that Let’s encrypt is a centralized service subject to outages. What would happen if they we either breached or had a several day issue.
If you are in the cloud you can use the cloud provided certs
and I’m a little more concerned about the fact that Let’s Encrypt has lost its funding recently
Out of the 2 scenarios this is the more immediate concern for me
This is always a concern however we were recently stung by the dicicert revocation thing. Spending a night changing thousands of certs was not fun
Doesn’t really affet me much, as my LE cronjob will update the cert either way. Doesn’t really matter if it’s 90 days or 47 (what a weird number of days)
I only can assume: 1.5 months rounded up, using 31 days a month 31+16=47
So you get half a month to realize that your monthly automated renewal is broken?
Digicert is such a shitty CA.
Oh, I agree. This change will affect all CAs however. And their post seemed to contain the most amount of information.
I just had to get it out of my system.
“You can’t use Let’s encrypt in production!”
Me using let’s encrypt for almost everything
