Mandatory short duration TLS certificates are probably coming soon

April 12, 2025

The news of the time interval is that the maximum validity period for TLS certificates will be lowered to 47 days by March 2029, unless the CA/Browser Forum changes its mind (or is forced to) before then. The details are discussed in SC-081. In skimming the mailing list thread on the votes, a number of organizations that voted to abstain seem unenthused (and uncertain that it can actually be implemented), so this may not come to pass, especially on the timeline proposed here.

If and when this comes to pass, I feel confident that this will end manual certificate renewals at places that are still doing them. With that, it will effectively end Certificate Authorities that don't have an API that you can automatically get certificates through (not necessarily a free or public API). I'm not sure what it's going to do to the Certificate Authority business models for commercial CAs, but I also don't think the browsers care about that issue and the browsers are driving.

This will certainly cause pain. I know of places around the university that are still manually handling one-year TLS certificates; those places will have to change over the course of a few years. This pain will arrive well before 2029; based on the proposed changes, starting March 15, 2027, the maximum certificate validity period will be 100 days, which is short enough to be decidedly annoying. Even a 250 200 day validity period (starting March 15 2026) will be somewhat painful to do by hand.

I expect one consequence to be that some number of (internal) devices stop having valid TLS certificates, because they can only have certificates loaded into them manually and no one is going to do that every 40-dd or even every 90-odd days. You might manually get and load a valid TLS certificate every year; you certainly won't do it every three months (well, almost no one will).

I hope that this will encourage the creation and growth of more alternatives to Let's Encrypt, even if not all of them are free, since more and more CAs will be pushed to have an API and one obvious API to adopt is ACME.

(I can also imagine ways to charge for an ACME based API, even with standard ACME clients. One obvious way would be to only accept ACME requests for domains that the CA had some sort of site license with. You'd establish the site license through out of band means, not ACME.)

Comments on this page:

By Opk at 2025-04-13 02:14:17:

At my work the solution still entails a paid CA but there's no automated validation that I control the subdomain I request a certificate for. I request an account, setup certbot and all it does is an https connection to the external CA. I can only get certificates for subdomains of the company's domain. There's no technical barrier to me requesting, say www. but they may have audit logs so that could land me in trouble later.

From 193.219.181.219 at 2025-04-15 03:32:28:

(I can also imagine ways to charge for an ACME based API, even with standard ACME clients. One obvious way would be to only accept ACME requests for domains that the CA had some sort of site license with. You'd establish the site license through out of band means, not ACME.)

This already exists. Both Sectigo and DigiCert for example offer ACME as part of their enterprise plans: their portal provides an EAB (External Account Binding) key which you have to pass to certbot register when creating the ACME account, and then it's tied to your main CA account, including the same pre-validated domains.

(At least with Sectigo this meant that the ACME client didn't need to perform any domain challenges – as long as the subdomain is under a pre-validated domain, the client can immediately "order" a certificate for it. This was both convenient and a slight security worry. You can limit each EAB client to specific subdomains, but for various technical reasons we had a single EAB key valid for all domains and didn't want to scatter its credentials everywhere, so we had a dedicated "ACME client" container that pushes out many certificates into servers via SSH, WinRM, SMB, etc.)

We currently use Harica and their interim ACME implementation is not tied to the main portal account yet, but they're working on it.

DigiCert's early implementation used a different approach of unique, non-guessable "server URL" for each customer.

Written on 12 April 2025.
« How I install personal versions of programs (on Unix)
Unix files have (at least) two sizes »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, View Normal.
Search:
Login: Password:
Last modified: Sat Apr 12 22:56:30 2025
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.