New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
47-Day SSL/TLS Certificates by 2029
FatGrizzly
Member, Host Rep
in News
TLDR: CA/B had a voting(proposed by apple), to reduce SSL's validity to 47 days(applicable from 2029).
Every CA and CA Consumer voted in favor.
Timeline:
Phased Reduction Timeline
March 15, 2026:
Maximum certificate lifespan: 200 days
Domain validation reuse: 200 days (down from 398 days)
OV/EV validation reuse (SII): 398 days (down from 825 days)
March 15, 2027:
Maximum certificate lifespan: 100 days
Domain validation reuse: 100 days
March 15, 2029:
Maximum certificate lifespan: 47 days
Domain validation reuse: 10 days
https://www.ssl.com/article/preparing-for-47-day-ssl-tls-certificates/
This is sad. This is gonna be a pain in the ass for several people. Especially where ACME can't be implemented.
Comments
Voting results:
https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/9768xgUUfhQ?pli=1
Where can't ACME be implemented?
Old enterprise deployments
IPv4-only
I'm kinda surprised they're moving so fast. I don't have any real objections to this anymore though I was one of the guys that screeched mightily about LetsEncrypt timers back in the day.
Yeah this.
Why? Sounds more like not wanting to change, or can't use the standard ACME clients/workflow and would need some extra work.
This is exactly the behavior of IPv4-only shillers and old enterprise deployment maintainers
Oh well, the usual bunch of corporate assholes ...
But don't worry, that will make sakkurity even more sakkure!
Side note: mozilla the "people's browser" shit hole not really surprisingly of bloody course cozy with the corporate assholes ...
a propos:
Reasoning? Come on, tell me a fairy tale.
M y I luv Caddy ❤️ even moaoar
Any reason why Letsencrypt not in the voter lists?
Try to googling some info, but still not answers my question.
I don't even know modern hardware without IPv6 support and API to manage instance
With ACME there are no problems changing certificates fast as long as automation is possible. But many years ago, until ACME and short lived certificates weren't a thing, everyone did it manually like each 1 or 3 years.
Yeah, ACME can't be impletemented everywhere but things could be scripted out to make it a bit more automated or other solutions could be implemented. I forget all the details since it was a long time ago at an old employer but one legacy system couldn't comply with the company's standards. The immediate solution was to firewall it off and have all traffic go through a load balancer which presented a proper cert/cipher. It still technically wasn't up to the standards but it was enough of a "bandaid" that made everyone happy with it staying running while a plan for modernization could be created and executed (I wasn't part of those talks for that system).
Except when it doesn't want to work
had big issues with some NS providers and the implemented API. And DNS caches are a huge pain.
That may well be the case but why is IP4 - allegedly - a problem for ACME implementation?
It is a good sign of unwilling to change things as was mentioned by @cmeerw as well
Hmm. Haven't run into these so far 🤞
For my usecase its working like a champ
Tbh I don't think it is Caddy's fault, DNS in general sometimes causes some pain in the ass
Anyway there is an alternative to issue TLS certificate using HTTP-01 challenge, unless you have lots of wildcard should be a much better UX for you
Haven't fully figured it out but it might be desec.io issue.
I don't see how that's an issue. It's automated. Whether it happens every 365 days or every week is not really relevant. It's not like it's some intensive process.
Strange result. Collusion?
Only root CA's are allowed to vote.
LE is an intermediate.
Same doubt.
as someone who will have to go and do a lot of work for this, it seems fine to me - we never got revocation to work so it's sensible to give up and just limit the damage stolen/incorrectly issued/NSA certs cause.
I would use Caddy.
What worries me most isn’t the 47-day limit itself, but the operational impact of a single missed renewal. With 8+ renewals per year, the chance of human error goes up dramatically. I have seen outages caused by just one expired cert. Multiply that across hundreds of domains, and it becomes a real business continuity risk. That’s why most teams I work with are looking at ACME or API-based management as mandatory.