Wandering Thoughts archives


Soon to expire TLS certificates aren't necessarily a problem

I'll admit it, I've been conditioned by Let's Encrypt. These days, seeing a TLS certificate that's going to expire in less than 29 days or so feels alarming, and it feels especially alarming if it's got a relatively short duration. I became conscious of this when I noticed just now that Facebook's TLS certificate that I can currently see will expire in eight days or so.

(Since I managed to find it on crt.sh, it's this certificate.)

Is this an actual problem? Well, not necessarily. The primary reason to roll over TLS certificates early (Let's Encrypt clients default to 30 days) is to have a large margin for error. If your client software breaks, or your usual Certificate Authority is having problems (or just doesn't like you), or any number of other things go wrong (because there are a lot of moving parts in a typical certificate rollover), you have several weeks to fix it or to get an emergency certificate from somewhere and go through other manual procedures.

But if you have strong confidence in your own operations and the operations of your Certificate Authority, then you don't particularly need all of this safety margin. If you have well honed processes that will reliably deploy your new TLS certificates in half an hour (or less) from when you push the 'go' button (or automation pushes it for you), and your Certificate Authority will pick up the phone whenever you call (because you're a big, important customer), you can pick a much shorter renewal lead time without any particular danger.

(Whether or not you should depends on your own needs. Also, you can get TLS certificates issued without deploying them, so what shows on your HTTPS websites isn't necessarily an indication of what you could be using if you wanted to.)

The other part of this is of course that the TLS certificate I see when making a HTTPS connection to a major website is not necessarily the one you see. An organization like Facebook has many points of presence and many HTTPS frontends, so the one I talk to may be almost completely disconnected from the one you do, which means that they may be using different TLS certificates for many reasons (including a staged rollout of any new TLS certificate). Making sure all of this works right is not trivial, but it can be done and is done by all of the major organizations.

PS: Poking through crt.sh suggests that Facebook has a lot of TLS certificates that get issued on a regular basis.

web/TLSCertRenewalTiming written at 22:22:40; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.