TLS certificate lifetimes will officially reduce to 47 days

digicert.com

512 points by crtasm 11 days ago


bob1029 - 10 days ago

What's the end game here? I agree with the dissent. Why not make it 30 seconds?

Once we cross the threshold of "I absolutely have to automate everything or it's not viable to use TLS anymore", why do we care about providing anything beyond ~48 hours? I am willing to bet money this threshold will never be crossed.

This feels like much more of an ideological mission than a practical one, unless I've missed some monetary/power advantage to forcing everyone to play musical chairs with their entire infra once a month...

pixl97 - 11 days ago

Heh, working with a number of large companies I've seen most of them moving to internally signed certs on everything because of ever shortening expiration times. They'll have public certs on edge devices/load balancers but internal services with have internal CA signed certs with long expire times because of the number of crappy apps that make using certs a pain in the ass.

greatgib - 11 days ago

As I said in another thread, basically that will kill any possibility to do your own CA for your own subdomain. Only the big one embedded in browser will have the receive to have their own CA certificate with whatever period they want...

And in term of security, I think that it is a double edged sword:

- everyone will be so used to certificates changing all the time, and no certificate pinning anymore, so the day were China, a company or whoever serve you a fake certificate, you will be less able to notice it

- Instead of having closed systems, readonly, having to connect outside and update only once per year or more to update the certificates, you will have now all machines around the world that will have to allow quasi permanent connections to random certificate servers for the updating the system all the time. If ever Digicert or Letsencrypt server, or the "cert updating client" is rooted or has a security issue, most servers around the world could be compromised in a very very short time.

As a side note, I'm totally laughing at the following explanation in the article:

   47 days might seem like an arbitrary number, but it’s a simple cascade:
   - 47 days = 1 maximal month (31 days) + 1/2 30-day month (15 days) + 1 day wiggle room
So, 47 is not arbitrary, but 1 month, + 1/2 month, + 1 day are not arbitrary values...
ghusto - 11 days ago

I really wish encryption and identity weren't so tightly coupled in certificates. If I've issued a certificate, I _always_ care about encryption, but sometimes do not care about identity.

For those times when I only care about encryption, I'm forced to take on the extra burden that caring about identity brings.

Pet peeve.

captn3m0 - 11 days ago

This is great news. This would blow a hole in two interesting places where leaf-level certificate pinning is relied upon:

1. mobile apps.

2. enterprise APIs. I dealt with lots of companies that would pin the certs without informing us, and then complain when we'd rotate the cert. A 47-day window would force them to rotate their pins automatically, making it even worse of a security theater. Or hopefully, they switch rightly to CAA.

philsnow - 9 days ago

> As a certificate authority, one of the most common questions we hear from customers is whether they’ll be charged more to replace certificates more frequently. The answer is no. Cost is based on an annual subscription […]

(emphasis added)

Pump the brakes there, digicert. Price is based on an annual subscription. CA costs will actually go up an infinitesimal amount, but they’re already nearly zero to begin with. Running a CA has got to be one of the easiest rackets in the world.

bityard - 10 days ago

I see that there is a timeline for progressive shortening, so if anyone has any "inside baseball" on this, I'm very curious to know:

Given that the overarching rationale here is security, what made them stop at 47 days? If the concern is _actually_ security, allowing a compromised cert to exist for a month and a half is I guess better than 398 days, but why is 47 days "enough"?

When will we see proposals for max cert lifetimes of 1 week? Or 1 day? Or 1 hour? What is the lower limit of the actual lifespan of a cert and why aren't we at that already? What will it take to get there?

Why are we investing time and money in hatching schemes to continually ratchet the lifespan of certs back one more step instead of addressing the root problems, whatever those are?

peanut-walrus - 10 days ago

So the assumption here is that somehow your private key is easier to compromise than whatever secret/mechanism you use to provision certs?

Yeah not sure about that one...

throwaway96751 - 11 days ago

Off-topic: What is a good learning resource about TLS?

I've read the basics on Cloudflare's blog and MDN. But at my job, I encountered a need to upload a Let's encrypt public cert to the client's trusted store. Then I had to choose between Let's encrypt's root and intermediate certs, between key types RSA and ECDSA. I made it work, but it would be good to have an idea of what I'm doing. For example why root RSA key worked even though my server uses ECDSA cert. Before I added the root cert to a trusted store, clients used to add fullchain.pem from the server and it worked too — why?

ori_b - 10 days ago

Can someone point me to specific exploits that this key rotation schedule would have stopped?

It seems to me like compromised keys are rare. It also seems like 47 days is low enough to be inconvenient, but not low enough to prevent significant numbers of people from being compromised if there is a compromised key.

_bin_ - 11 days ago

Is there an actual issue with widespread cert theft? That seems like the primary valid reason to do this, not forcing automation.

jsheard - 11 days ago

This change will have a steady roll-out, but if you want to get ahead of the curve then Let's Encrypt will be offering 6 day certs as an option soon.

https://letsencrypt.org/2025/02/20/first-short-lived-cert-is...

nickf - 10 days ago

Don't forget the lede buried here - you'll need to re-validate control over your DNS names more frequently too. Many enterprises are used to doing this once-per-year today, but by the time 47-day certs roll around, you'll be re-validating all of your domain control every 10 days (more likely every week).

umvi - 9 days ago

So does this mean all of our Chromecasts are going to stop working again once this takes effect since (judging by Google's response during the week long Chromecast outage earlier this year) Chromecast is run by a skeleton crew and won't have the resources to automate certificate renewal?

hackcoughgasp - 2 days ago

I know this thread is over, but it's important to understand that it's the browsers who have all the power in CABF and they were the drivers behind this change. Apple proposed it and Google voted yes within minutes of the voting period opening. It was unanimous among CAs too (with 5 abstentions), and nobody really disagrees with it, but it was the browsers who started the initiative now. The article links to the vote thread: https://groups.google.com/a/groups.cabforum.org/g/servercert... And here's the CABF discussion before the vote: https://github.com/cabforum/servercert/pull/553/commits/69ce...

throw0101b - 11 days ago

Justification:

> The ballot argues that shorter lifetimes are necessary for many reasons, the most prominent being this: The information in certificates is becoming steadily less trustworthy over time, a problem that can only be mitigated by frequently revalidating the information.

> The ballot also argues that the revocation system using CRLs and OCSP is unreliable. Indeed, browsers often ignore these features. The ballot has a long section on the failings of the certificate revocation system. Shorter lifetimes mitigate the effects of using potentially revoked certificates. In 2023, CA/B Forum took this philosophy to another level by approving short-lived certificates, which expire within 7 days, and which do not require CRL or OCSP support.

Personally I don't really buy this argument. I don't think the web sites that most people visit (especially highly-sensitive ones like for e-mail, financial stuff, a good portion of shopping) change or become "less trustworthy" that quickly.

avodonosov - 9 days ago

First impression: with automation and short lived certificates, the Certifying Authorities become similar to Identity Providers / OpenID Provider in openid / openid-connect. The certificates are tokens.

And significant part of security is concentrated around the way Certifying Authorities validate the domain ownership. (So called challenges).

Next, maybe clients can run those challenges directly, instead of relying onto certificates? For example, when connecting a server, client client sends two unique values, and the server must create DNS record <unique-val-1>.server.com with record value of the <unique-val-2>. Client check that such record is created and thus the server has proven it controls the domain name.

Auth through DNS, that's what it is. We will just need to speed up the DNS system.

xyst - 10 days ago

I don’t see any issue here. I already automate with ACME so rotating certificates on an earlier basis is okay. This should be like breathing for app and service developers and infrastructure teams.

Side note: I wonder how much pressure this puts on providers such as LetsEncrypt, especially with the move to validate IPs. And more specifically IPv6…

mystraline - 9 days ago

I'm sure this will be buried, but SSL is supposed to provide encryption. That's it.

Self-signed custom certs also does that. But those are demonized.

Also SSL also tries to define a ip-dns certification of ownership, kind of.

There's also a distinct difference between 'this cert expired last week' and 'this cert doesn't exist' and mitm attack. Expired? Just give a warning, not a scare screen. MITM? Sure give a big scary OHNOPE screen.

But, yeah, 47 days is going to wreck havok on network and weird devices.

trothamel - 11 days ago

Question: Does anyone have a good solution for renewing letsencrypt certificates for websites hosted on multiple servers? Right now, I have one master server that the others forward the well-known requests too, and then I copy the certificate over when I'm done, but I'm wondering if there's a better way.

1970-01-01 - 11 days ago

Your 90-day snapshot backups will soon become 47-day backups. Take care!

compumike - 9 days ago

(Shameless self-promotion) We set up our https://heiioncall.com/ monitoring to give our on-call rotation a non-critical “it can wait until Monday” alert when there are 14 days or less left on our SSL certificates, and a critical alert “do-not-disturb be damned” when 48 hours left until expiry. Because cert-manager got into some weird state once a few years ago, and I’d rather find out well in advance next time.

Edit: it’s configured under Trigger -> Outbound Probe -> “SSL Certificate Minimum Expiration Duration”

procaryote - 10 days ago

If this is causing you pain, certbot with Acme DNS challenge is pretty easy to set up to get you certs for your internal services. There are tools for many different dns providers like route53 or cloudflare.

I tend to have secondary scripts that checks if the cert in certbots dir is newer than whatever is installed for a service, and if so install it. Some services prefer the cert in certain formats, some services want to be reloaded to pick up a new cert etc, so I put that glue in my own script and run it from cron or a systemd timer.

raggi - 11 days ago

It sure would be nice if we could actually fix dns.

kevincox - 9 days ago

To me I don't really care about the certificate lifetime, what I care about is the time between being allowed to renew and time until expiry.

Right now Let's Encrypt recommends renewing your 90d certificates every 60 days, which means that there is a 30 day window between recommended to renew and expiry. This feels relatively comfortable to me. A long vacation may be longer than 30 days but it is rare and there is probably other maintenance that you should be doing in this time (although likely routine like security updates rather than exceptional like figuring out why your certificate isn't renewing).

So if 47 days ends up meaning renew every 17 days and still have that 30 day buffer I would be quite happy. But what I fear is that they will recommend (and set rate limits based on) renewing every 30 days with a 17 day buffer which is getting a little short for comfort IMHO. While big organizations will have a 24h oncall and medium organizations will have many business hours to figure it out is sucks for individuals who what to go away for a few weeks without worrying about debugging their certificate renewal until they get home.

dsr_ - 10 days ago

Daniel K Moran figured out the endgame:

"Therefore, the Lunar Bureau of the United Nations Peace Keeping Force DataWatch has created the LINK, the Lunar Information Network Key. There are currently nine thousand, four hundred and two Boards on Luna; new Boards must be licensed before they can rent lasercable access. Every transaction--every single transaction--which takes place in the Lunar InfoNet is keyed and tracked on an item-by-item basis. The basis of this unprecedented degree of InfoNet security is the Lunar Information Network Key. The Key is an unbreakable encryption device which the DataWatch employs to validate and track every user in the Lunar InfoNet. Webdancers attempting unauthorized access, to logic, to data, to communications facilities, will be punished to the full extent of the law."

from The Long Run (1989)

Your browser won't access a site without TLS; this is for your own protection. TLS certificates are valid for one TCP session. All certs are issued by an organization reporting directly to a national information security office; if your website isn't in compliance with all mandates, you stop getting certs.

rhodey - 10 days ago

After EFF Lets Encrypt made the change to disable reminder emails I decided I would be moving my personal blog from my VPS to AWS specifically. I just today made the time to make the move and 10 minutes after I find this.

I could have probably done more with Lets Encrypt automation to stay with my old VPS but given that all my professional work is with AWS its really less mental work to drop my old VPS.

Times they are a changing

jonathantf2 - 11 days ago

A welcome change if it gives some vendors a kick up the behind to implement ACME.

junaru - 11 days ago

> For this reason, and because even the 2027 changes to 100-day certificates will make manual procedures untenable, we expect rapid adoption of automation long before the 2029 changes.

Oh yes, vendors will update their legacy NAS/IPMI/whatever to include certbot. This change will have the exact opposite effect - expired self signed certificates everywhere on the most critical infrastructure.

zephius - 11 days ago

Old SysAdmin and InfoSec Admin perspective:

Dev guys think everything is solvable via code, but hardware guys know this isn't true. Hardware is stuck in fixed lifecycles and firmware is not updated by the vendors unless it has to be. And in many cases updated poorly. No hardware I've ever come across that supports SSL\TLS (and most do nowadays) offers any automation capability in updating certs. In most cases, certs are manually - and painfully - updated with esoteric CLI cantrips that require dancing while chanting to some ancient I.T. God for mercy because the process is poorly (if at all) documented and often broken. No API call or middelware is going to solve that problem unless the manufacturer puts it in. In particular, load balancers are some of the worst at cert management, and remember that not everyone uses F5 - there are tons of other cheaper and popular alternatives most of which are atrocious at security configuration management. It's already painful enough to manage certs in an enterprise and this 47 day lifecycle is going to break things. Hardware vendors are simply incompetent and slow to adapt to security changes. And not everyone is 100% in the cloud - most enterprises are only partially in that pool.

borgster - 9 days ago

The ultimate internet "kill switch": revoke all certificates. Modern browsers refuse to render the page.

webprofusion - 9 days ago

Pretty sure this only refers to publicly trusted certs. What percentage of public certs are still being manually managed?

I've been in the cert automation industry for 8 years (https://certifytheweb.com) and I do still hear of manual work going on, but the majority of stuff can be automated.

For stuff that genuinely cannot be automated (are you sure you're sure) these become monthly maintenance tasks, something cert management tools are also now starting to help with.

We're planning to add tracking tasks for manual deployments to Certify Management Hub shortly (https://docs.certifytheweb.com/docs/hub/), for those few remaining items that need manual intervention.

arisudesu - 9 days ago

Having short-lived certificates is good, replacing them too often is not. This is implemented trivially for single-host deployments which just run certbot or ACME each subdomains. But for sophisticated setups where a certificate for a domain (or multiple domains or a wildcard) must be shared across fleet of hosts, it is a burden.

There are no ready-made tools available to automate such deployments. Especially if a certificate must be the same for each of the hosts, fingerprint included. Having a single, authoritative certificate for a domain and its wildcard subdomains deployed everywhere is much simpler to monitor. It does not expose internal subdomains in certificate transparency logs.

Unfortunately, organizations (persons) involved in decisions, do not provide such tools in advance.

elric - 9 days ago

This sounds an awful lot like security theatre.

> The information in certificates is becoming steadily less trustworthy over time, a problem that can only be mitigated by frequently revalidating the information.

This is patently nonsensical. There is hardly any information in a certificate that matters in practice, except for the subject, the issuer, and the expiration date.

> Shorter lifetimes mitigate the effects of using potentially revoked certificates.

Sure, and if you're worried about your certificates being stolen and not being correctly revoked, then by all means, use a shorter lifetime.

But forcing shorter lifetimes on everyone won't end up being beneficial, and IMO will create a lot of pointless busywork at greater expense. Many issuers still don't support ACME.

readthenotes1 - 11 days ago

I wonder how many forums run by the barely able are going to disappear or start charging.

I fairly regularly get cert expired problems because the admin is doing it as the yak shaving for a secondary hobby

iJohnDoe - 11 days ago

Getting a bit ridiculous.

CommanderData - 10 days ago

Why bother with such a long staggered approach?

There should be 1 change from 365 to 47 days. This industry doesnt need constant changes, which will force everyone to automating renewals anyway.

jezek2 - 9 days ago

Thanks for the heads up. I will adjust my cron jobs to run every week instead of every month.

I need it more frequently to get more time in case there is an error as I tend to ignore the error e-mails for multiple weeks due to my fatigue from handling of various kinds of certificates.

Personally I also have an HTTP mirror for my more important projects when availability is more important than security of the connection.

rfmoz - 9 days ago

This could be addressed in a more progressive way.

For example, EV carts had the green bar that was a soft way to promote their presence/use over the normal ones. That bar, started as a strong evidence on the url box and lost that look with the time.

Something like that let the owner to decide and, maybe, the user push their use because it feels more secure, not directly the CA.

AlfeG - 10 days ago

Will see how Azure FD will handle this. We opened more than expected tickets with support on certs not updating automatically...

zelon88 - 11 days ago

This naively (or maliciously perhaps) maintains that the "purpose" of the certificate is to identify an entity. While identity and safeguarding against MITM is important, identity is not the primary purpose certificates serve in the real world. At least that is not how they are used or why they are purchased.

They are purchased to provide encryption. Nobody checks the details of a cert and even if they did they wouldn't know what to look for in a counterfeit anyway.

This is just another gatekeeping measure to make standing up, administering, and operating private infrastructure difficult. "Just use Google / AWS / Azure instead."

- 9 days ago
[deleted]
Havoc - 9 days ago

Continually surprised by how emotional people get about cert lifetimes.

I get that there are some fringe cases where it’s not possible but for the rest - automate and forget.

paradite - 9 days ago

All I care about as a certbot user is what do I need to do.

Do I need to update certbot in all my servers? Or would they continue to work without the need to update?

iqandjoke - 9 days ago

The poor vendor folk needs to come more often on site to fix the cert issue.

PixelPaul - 8 days ago

Petition to Remove members voting rights from the CABForum who have a commercial interest: https://chng.it/WcR6t2WQd2

aaomidi - 11 days ago

Good.

If you can't make this happen, don't use WebPKI and use internal PKI.

wnevets - 10 days ago

Has anyone managed to calculate the increase power usage across the entire internet this change will cause? Well, I suppose the environment can take one more for the team.

riffic - 10 days ago

ah this is gonna piss off a few coworkers today but it's a good move either way.

thyristan - 10 days ago

semi-related question: where is the letsencrypt workalike for s/mime?

Lammy - 10 days ago

This sucks. I'm actually so sick of mandatory TLS. All we did was get Google Analytics and all the other spyware running “““securely””” while making it that much harder for any regular person to host anything online. This will push people even further into the arms of the walled gardens as they decide they don't want to deal with the churn and give up.

- 10 days ago
[deleted]
0xbadcafebee - 10 days ago

I hate this, but I'm also glad it's happening, because it will speed up the demise of Web PKI.

CAs and web PKI are a bad joke. There's too many ways to compromise security, there's too many ways to break otherwise-valid web sites/apps/connections, there's too many organizations that can be tampered with, the whole process is too complex and bug-prone.

What Web PKI actually does, in a nutshell, is prove cryptographically that at some point in the past, there was somebody who had control of either A) an e-mail address or B) a DNS record or C) some IP space or D) some other thing, and they generated a certificate through any of these methods with one of hundreds of organizations. OR it proves that they stole the keys of such a person.

It doesn't prove that who you're communicating with right now is who they say they are. It only proves that it's someone who, at some point, got privileged access to something relating to a domain.

That's not what we actually want. What we actually want is to be assured this remote host we're talking to now is genuine, and to keep our communication secret and safe. There are other ways to do that, that aren't as convoluted and vulnerable as the above. We don't have to twist ourselves into all these knots.

I'm hopeful changes like these will result in a gradual catastrophy which will push industry to actually adopt simpler, saner, more secure solutions. I've proposed one years ago but nobody cares because I'm just some guy on the internet and not a company with a big name. Nothing will change until the people with all the money and power make it happen, and they don't give a shit.

ocdtrekkie - 11 days ago

It's hard to express how absolutely catastrophic this is for the Internet, and how incompetent a group of people have to be to vote 25/0 for increasing a problem that breaks the Internet for many organizations yearly by a factor of ten for zero appreciable security benefit.

Everyone in the CA/B should be fired from their respective employers, and we honestly need to wholesale plan to dump PKI by 2029 if we can't get a resolution to this.

msie - 10 days ago

Eff this shit. I'm getting out of sysadmin.

aristofun - 10 days ago

Oh no, Bunch of stupid bureacrats came up with another dumb idea. What a surprise!

curtisszmania - 9 days ago

[dead]

belter - 11 days ago

Are the 47 days to please the current US Administration?

vasilzhigilei - 10 days ago

I'm on the SSL/TLS team @ Cloudflare. We have great managed certificate products that folks should consider using as certificate validity periods continue to shorten.