this post was submitted on 15 Apr 2025

4 points (100.0% liked)

Sysadmin

12532 readers

1 users here now

A community dedicated to the profession of IT Systems Administration

No generic Lemmy issue posts please! Posts about Lemmy belong in one of these communities:
!lemmy@lemmy.ml
!lemmyworld@lemmy.world
!lemmy_support@lemmy.ml
!support@lemmy.world

founded 2 years ago

MODERATORS

DarraignTheSane@lemmy.world

00Lemming@lemmy.world

L3s@lemmy.world

TLS Certificate Lifetimes Will Officially Reduce to 47 Days (in 2029) (www.digicert.com)

submitted 9 months ago by JRaccoon@discuss.tchncs.de to c/sysadmin@lemmy.world

21 comments fedilink hide all child comments

From today until March 15, 2026, the maximum lifetime for a TLS certificate is 398 days.

As of March 15, 2026, the maximum lifetime for a TLS certificate will be 200 days.

As of March 15, 2027, the maximum lifetime for a TLS certificate will be 100 days.

As of March 15, 2029, the maximum lifetime for a TLS certificate will be 47 days.

What's everyone's opinion on this? I think from a security standpoint their reasoning is valid and in many cases it's very easy to automate the renewal with ACME or something else. But there's likely gonna be legacy stuff still around in 2029 that won't be easy to automate.

top 21 comments

sorted by: hot top controversial new old

[–] ptz@dubvee.org 2 points 9 months ago* (last edited 9 months ago) (1 children)

Are compromised private keys that much of a problem in the real world to merit such a pain in the ass, heavy handed "solution"? On paper, sure, it makes sense. In practice, you're forcing people to complicate the process by introducing, until now, unnecessary automation and introducing the possibility of brand new points of vulnerability.

I say this as someone who does maintain legacy systems (i.e. systems), so take it with a very angry, frazzled grain of salt. But I've done this for ~~years~~ decades and many, many systems and to my knowledge, I've never had a compromised private key.

This just seems like people who constantly lose their house keys mandating that everyone else change their locks as often as they do.

[–] bamboo@lemmy.blahaj.zone 1 points 9 months ago

One issue is that browsers and other clients have a difficult time handling certificate revocation. Let's Encrypt is stopping support for OCSP, and that had a lot of privacy implications where a CA could tell who is going to what site, based on the requests to check certificate revocation. Let's Encrypt is moving to CRLs, but the size of the CRL is very large the more certificates you have. For Let's Encrypt with only a 90 day validity period, their CRL is smaller than a CA which has certificates as much as 398 days old.

The size of the CRL is something not only CAs have to manage, on the client side, you may have to check a 10MB file to see if the certificate for the site you're connecting to is still trusted by the CA. With many CAs, these CRLs will take up a lot of space on disk, and need to be updated often. Mozilla published a system called CRLite which uses Cascading Bloom Filters to keep track of revoked certificates in the browser, which will save a lot of space. Having a constrained set of revoked certificates is useful to ensure the bloomfilter won't be too large for the browser to store and manage.

[–] SkaveRat@discuss.tchncs.de 1 points 9 months ago

Doesn't really affet me much, as my LE cronjob will update the cert either way. Doesn't really matter if it's 90 days or 47 (what a weird number of days)

[–] nazgul666@lemmy.world 1 points 9 months ago* (last edited 9 months ago) (1 children)

If I understand this correctly, it only affects certificates issued by public CAs (certificates for public websites, for example). So for certs issued by a company CA (e.g. for internal infrastructure), it should not apply. Can anyone confirm?

[–] ClemaX@lemm.ee 1 points 9 months ago

True. Technically the bounds for the validity period are from Jan 1, 1950 to Dec 31, 9999.

Source

[–] enumerator4829@sh.itjust.works 1 points 9 months ago (1 children)

This will be so much fun for people with legacy systems

[–] mosiacmango@lemm.ee 1 points 9 months ago* (last edited 9 months ago) (2 children)

Self signed certs about to get even more popular.

[–] SecureTaco@lemmy.asc6.org 1 points 9 months ago (1 children)

Self signed certs still have to abide. It’s the browser that checks it not the issuer. Now granted in most cases you already get a non trusted warning that most sysadmins skip…

[–] Zeoic@lemmy.world 1 points 9 months ago (1 children)

The cert is what tells the browser how long it lasts, so I'm not sure how the browser can stop you from using a 10 year self signed cert or one from your own CA

[–] catloaf@lemm.ee 1 points 9 months ago (1 children)

If the browser sees it expires too far in the future, it could throw a warning or error.

I doubt any of them will actually do it, but it's possible.

[–] prime_number_314159@lemmy.world 1 points 9 months ago

Most browsers do this for certs with a lifetime longer than 398 days issued after 2020, which is one aspect of why so many websites use a 1 year validity period for their certs.

[–] enumerator4829@sh.itjust.works 1 points 9 months ago

Tony Stark was able to build his CA in a cave! With a bunch of dice!

[–] pennomi@lemmy.world 1 points 9 months ago (1 children)

I can’t wait for the day when we have to refresh them hourly.

[–] SkaveRat@discuss.tchncs.de 1 points 9 months ago

ephemeral single use certs when?

[–] eddanja@lemmy.world 1 points 9 months ago (1 children)

Digicert is such a shitty CA.

[–] JRaccoon@discuss.tchncs.de 1 points 9 months ago

Oh, I agree. This change will affect all CAs however. And their post seemed to contain the most amount of information.

[–] Z3k3@lemmy.world 1 points 9 months ago (1 children)

My little corner of the business has started migrating our certs to let's encrypt.

Hope it catches on else where

[–] possiblylinux127@lemmy.zip 1 points 9 months ago (1 children)

I am a little concerned about the fact that Let's encrypt is a centralized service subject to outages. What would happen if they we either breached or had a several day issue.

If you are in the cloud you can use the cloud provided certs

[–] WhyJiffie@sh.itjust.works 1 points 9 months ago (1 children)

and I'm a little more concerned about the fact that Let's Encrypt has lost its funding recently

[–] Z3k3@lemmy.world 1 points 9 months ago

Out of the 2 scenarios this is the more immediate concern for me

[–] 01189998819991197253@infosec.pub 1 points 9 months ago

TLS? Noobs. All the cold kids just cleartext it.