TLS Certificate Lifespan

mike · 14 June 2025 22:28

It is difficult to tell if this is good or bad. I guess it depends on how up-to-date your software is, whether you can automate, and any difference in pricing.

[T]he CA/Browser Forum (CA/B Forum) has approved a proposal to reduce the maximum validity period of SSL/TLS certificates from the current 398 days to just 47 days by March 15, 2029. This decision, initially proposed by Apple and endorsed by major industry players including Google, Mozilla, and Sectigo, aims to mitigate risks associated with long-lived certificates and encourage automation in certificate management.

SSL/TLS Certificate Lifespans to Shrink to 47 Days by 2029 | InfoQ

gnome · 16 June 2025 14:18

Is there anyone out there except for enterprises who still pays for their certificates instead of using Let’s Encrypt? I know there’s a purpose (though why exactly escapes me), but I don’t think most businesses would need to purchase certs.

Let’s Encrypt has a pretty short expiry period for the certificate already from memory (3 months?)

mike · 20 June 2025 09:34

I don’t know much about maintaining certificates for an enterprise site.

But, I guess I’m thinking about people focused on work who might be caught off guard by an external change like this.

Maybe 2029 seems far away.

But, some company probably made money with Windows XP today.

And, so, people working in places like that need to start talking about this now in order to be ready on time.

IT tends to be a backwater or cost center in non-tech companies or nonprofits.

ricardo81 · 22 June 2025 11:26

I don’t think it’s a thing any more, but you used to be able to get a fancy green padlock or some such in the address bar with some TLS cert providers which was seen as an additional trust signal by users. With practically everything being TLS now, probably no longer a thing.

Let’s Encrypt has a pretty short expiry period

Recent certbot versions are able to auto-update certs so the administrative aspect is taken care of, originally it was a pain though.

I guess this is an evolution of letsencrypt offering free certs and the question is why not? of shorter lifetimes.

gnome · 23 June 2025 00:45

Yeah, I remember that being a thing. It’s similar to email how you can pay lots of money to implement BIMI on your emails as an additional trust signal.

Always seemed nuts to me but then I don’t work for a giant enterprise

I only started administering servers a few years ago, and they’ve always auto-renewed for me, so I’ve always had it easy

I still find it too much of a pain and deploy Caddy everywhere I can so SSL is taken care of automatically for me, which uses Let’s Encrypt + Certbot under the hood. Trying to take care of SSL provisioning and renewal inside Docker without Caddy is a chore…

giacomodebello · 3 July 2025 18:50

It seems to me that the effect of encrypting every website, and not just websites you need to log in, and the discouraging efforts made by browsers developers to use unencrypted websites will speed up the death of older and smaller websites; it’s like it is another tool to tansform the web from a people thing to a big corportations thing (something that I think it’s already happening).
Shortening the certificates lifespans goes to the same direction, doesn’t it?