Vendors vote to radically slash website certificate duration

Members of the CA/Browser Forum have voted to slash cert lifespans from the current one year to 47 days, placing an added burden on enterprise IT staff who must ensure they are updated.

this really hurts — I manage 80+ commercial certs for my customers (a few wildcards, mostly one name certs)… things were much simpler back in the days of five year certs … and I wonder how the CAs will price things :slightly_smiling_face: All of these are installed on servers or appliances beyond my control or access at client sites.

and for things I do host, I have a series of scripts I customized from various google searches running on a local centralized Lets Encrypt management linux server that automate the approval and deployment of 80+ certs internally.

might be time to see what we should charge to extend our LE management outward to client sites, or even try to automate commercial cert renewal and deployment. But some appliances I believe require them to generate the CSR, so that could be a complication.

I wonder in the big picture, this is a solution looking for a problem — have there been repeated large scale issues in the past that will be solved by this?

1 Like

This right here:

The group’s argument is that this will improve web security in various ways, but some have argued that the group’s members have a strong alternative incentive, as they will be the ones earning more money due to this acceleration.

Then again, this fancy group better work on improving the revocation systems instead of just reducing the validity.

Updating prices by $1 per renewal period = 7.8 times earnings.

47 days is intense—this will definitely keep IT teams on their toes. Automation’s about to become even more essential.

And the benefit is ???

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.